AWS Expands Capabilities; Cisco Zero‑Day Exploited; AI Agent Risks

Cloud platforms rolled out new capabilities that affect how developers operate and secure workloads, while defenders contended with active exploitation in popular software and sustained supply-chain abuse. The day also brought fresh guidance on locking down AI-driven automation in CI/CD and multi-agent systems, alongside reports of long-running intrusions and consumer devices being repurposed as proxy infrastructure.

AWS Expands Control, Scale, and GovCloud Capabilities

AWS Bedrock extended AgentCore Runtime with an interactive shell API that opens persistent, PTY-backed terminals into running agent sessions over WebSocket. Sessions maintain environment variables, working directories, and command history, support terminal features like colors, tab completion, Ctrl+C, and resizing, and can auto-reconnect on brief drops. A runtime allows up to 10 concurrent shells tracked by session and shell IDs, enabling parallel debugging and inspection for teams hosting coding agents such as Claude Code, OpenAI Codex, or Amazon Kiro. Developers can begin via the AgentCore CLI and consult documentation comparing interactive versus one-shot execution.

AWS GovCloud now supports IAM-based authorization for Amazon S3 Tables and Apache Iceberg materialized views through the AWS Glue Data Catalog. Administrators can define storage, catalog, and query-engine permissions in a single IAM policy, streamlining use with Amazon Athena, Amazon EMR, Amazon Redshift, and AWS Glue. Organizations needing finer controls can still opt into AWS Lake Formation. The release reduces operational complexity and misconfiguration risk while aligning data lake management with standard IAM practice for regulated U.S. government environments.

OpenSearch UI has arrived in AWS GovCloud (US-East and US-West), bringing Workspaces for team collaboration and a redesigned Discover interface that unifies log exploration across PPL, SQL, DQL, and Lucene. The UI adds a data selector for multi-source analysis, refreshed visuals, and autocomplete to speed investigations. Notably, the latest UI features are available regardless of the underlying domain or collection version, helping GovCloud customers standardize observability, security analytics, and search workflows.

ECS Fargate now supports 32 vCPU task configurations with 60 GiB, 120 GiB, or 244 GiB memory options across x86 and ARM Linux. Available on Fargate and Fargate Spot in all commercial Regions and AWS GovCloud (US), the sizes target compute-intensive needs such as HPC, large-scale data processing, and AI inference. Existing Compute Savings Plans apply, extending serverless operational benefits to larger single-task workloads.

MCP Server for the Agent Toolkit for AWS added cross-account and cross-role access. AI coding agents can specify an AWS profile per command and operate across multiple accounts and IAM roles within a single session, removing prior stop-and-restart friction. Each request explicitly indicates the profile, reducing the risk of changes in the wrong account. The feature is available in US East (N. Virginia) and Europe (Frankfurt), with adoption guidance in the user guide.

Active Exploitation and Patching Priorities

Everest Forms Pro users face active attacks exploiting CVE-2026-3300, a critical RCE in the plugin’s Complex Calculation feature. The feature constructed PHP via eval() using inadequately sanitized form inputs, allowing code injection. Wordfence telemetry shows widespread exploitation since April 13, including the creation of administrator accounts. The issue was reported in February and patched March 18. Site owners are urged to update immediately, audit logs and admin users, remove backdoors, and consider blocking known attacking IPs.

Cisco SD‑WAN Manager (vManage) is affected by an actively exploited zero‑day, CVE‑2026‑20245, enabling local privilege escalation to root via insufficient validation of user-supplied input. Attackers with netadmin-level access can upload a crafted file to trigger command injection, with observed incidents and indicators including suspicious tenant list uploads logged in /var/log/scripts.log. No patch is available; Cisco advises applying May 14 fixes for related CVE‑2026‑20182, generating admin‑tech logs, and engaging TAC while monitoring for IOCs.

Serv‑U DoS (CVE‑2026‑28318) is being exploited to crash SolarWinds Serv‑U via unauthenticated POST requests using Content‑Encoding: deflate. SolarWinds released Serv‑U 15.5.4 Hotfix 1 and suggested interim mitigations such as restricting access and blocking POST requests containing “content‑encoding.” CISA added the flaw to KEV and directed FCEB agencies to patch by June 19. Given low complexity and unauthenticated exploitation, organizations should prioritize the hotfix or apply mitigations to prevent service disruption.

Supply Chain and Agentic AI Risks

Miasma Worm disrupted 73 repositories across multiple Microsoft GitHub organizations by re‑compromising the durabletask package and committing malicious payloads directly to repos. The self‑replicating campaign used staged loaders designed to auto‑execute via developer tools and AI coding agents, exploiting the trust model of maintainers and signing rather than platform bugs. The incident highlights the need to validate provenance and respond decisively to credential compromises.

Microsoft Blog detailed a vulnerability in Anthropic’s Claude Code GitHub Action where inconsistent sandboxing let the in‑process Read tool access /proc/self/environ and exfiltrate secrets from CI/CD runners via prompt‑injection. Reported April 29, Anthropic mitigated the issue May 5 (Claude Code 2.1.128) by blocking sensitive /proc access. The post recommends treating AI workflows that process untrusted inputs and hold secrets as high‑risk, and adopting hardening across execution, credential protection, and exfiltration prevention.

CSO Online covered research showing how a malicious npm package can rewrite ~/.claude.json to redirect Claude Code’s MCP traffic, capturing plaintext OAuth tokens for services like Jira, Confluence, and GitHub. Because requests then originate from Anthropic egress IPs, activity can appear legitimate. Mitiga reported the issue April 10; no vendor patch is provided. Teams should monitor ~/.claude.json for changes, treat npm post‑install hooks as a supply‑chain risk, and rotate tokens alongside cleanup.

FFmpeg Bugs were uncovered by an autonomous AI agent that produced 21 confirmed zero‑days with PoCs across ~1.5M lines of code, while Google shipped Chrome 149 addressing a record 429 security issues, including a high‑severity ANGLE OOB flaw. The report ties increased bug discovery rates to AI‑assisted submissions and underscores the operational need to promptly patch FFmpeg across embedded uses and ensure Chrome is updated.

Microsoft AI updated its taxonomy of agentic AI failure modes with seven additional categories, including agentic supply‑chain compromise, goal hijacking, inter‑agent trust escalation, visual attacks on computer‑use agents, session context contamination, MCP/plugin abuse, and capability/architecture disclosure. Recommendations include per‑agent SBOMs, cryptographic identity verification, expanding red‑team matrices, and treating human‑in‑the‑loop functions as auditable controls.

Intrusions, Social Engineering, and Device Proxies

UNC5221 (VerdantBamboo) maintained long‑term access using the Brickstorm backdoor and new implants Plenet and AgentPSD after an initial Egnyte Storage Sync compromise. The actor reached Microsoft 365, reconfigured VPN access, and deployed tooling to Synology NAS and a retired GroupWise server over an at least 18‑month period. Brickstorm has evolved from Golang to Rust variants; Plenet is a cross‑platform .NET backdoor with WebSocket C2, and AgentPSD is a Python reverse shell. Researchers published IOCs to aid detection.

Silent Ransom Group (UNC3753) targeted U.S. law firms and professional services orgs with callback phishing and fake IT support calls that led to installing RMM tools such as AnyDesk, Zoho Assist, Bomgar, or SuperOps. Operators rapidly exfiltrated legal and financial documents and issued extortion demands, using techniques including self‑destructing messages and residential proxy infrastructure. Mitigations include strict verification of IT requests, limiting remote‑access tools, enforcing MFA, and training against voice‑based social engineering.

Bright Data’s embedded SDK in free apps enables consumer devices—especially always‑on smart TVs—to function as exit nodes for web scraping. Researchers found consent dialogs that understate capabilities, peer tunnels lacking robust authentication, and iOS behavior that can bypass VPNs and run in the background with high bandwidth allowances. Suggested defenses include blocking SDK domains at the router and auditing apps for the SDK, with the caveat that mobile connections may evade local blocks.