All news with #api keys tag

Amazon Location Service adds granular API key restrictions

🔒 AWS has introduced enhanced API key restrictions for Amazon Location Service to help developers secure location-based applications. Keys can now be bound to specific Android applications using package names and SHA-1 certificate fingerprints, or to iOS apps using Bundle IDs, enabling separate keys for testing and production. The feature is available in multiple AWS Regions and is configurable via the console or APIs. This reduces the risk of key misuse and enforces app-level access control.

Token Theft Fuels SaaS Breaches — Security Teams Must Act

🔐 Token theft is now a primary vector for SaaS breaches, with stolen OAuth, API keys, and session tokens enabling attackers to bypass MFA and access integrated services. High-profile incidents from 2023 to 2025 show how a single unrotated token can compromise code, secrets, or customer data across platforms. Teams should prioritize discovery, continuous monitoring, and strict token hygiene—rotation, least-privilege scopes, approval workflows, and prompt revocation.

GitHub Tightens npm Security: Mandatory 2FA, Token Limits

🔒 GitHub is implementing stronger defenses for the npm ecosystem after recent supply-chain attacks that compromised repositories and spread to package registries. The platform will require 2FA for local publishing, shorten token lifetimes to seven days, deprecate classic tokens and TOTP in favor of FIDO/WebAuth, and promote trusted publishing. Changes will roll out gradually with documentation and migration guides to reduce disruption.

Cloudflare AI Gateway updates: unified billing, routing

🤖 Cloudflare’s AI Gateway refresh centralizes AI traffic management, offering unified billing, secure key storage, dynamic routing, and built-in security through a single endpoint. The update integrates Cloudflare Secrets Store for AES-encrypted BYO keys, provides an automatic normalization layer for requests/responses across providers, and introduces dashboard-driven Dynamic Routes for traffic splits, chaining, and limits. Native Firewall DLP scanning and configurable profiles add data protection controls, while partner access to 350+ models across six providers and a credits-based billing beta simplify procurement and cost management.

LLMs Remain Vulnerable to Malicious Prompt Injection Attacks

🛡️ A recent proof-of-concept by Bargury demonstrates a practical and stealthy prompt injection that leverages a poisoned document stored in a victim's Google Drive. The attacker hides a 300-word instruction in near-invisible white, size-one text that tells an LLM to search Drive for API keys and exfiltrate them via a crafted Markdown URL. Schneier warns this technique shows how agentic AI systems exposed to untrusted inputs remain fundamentally insecure, and that current defenses are inadequate against such adversarial inputs.