#aws

This week, Joe laments on 2025, and what we can think of in 2026 in the wild world of cybersecurity.

## Summary S3 Encryption Client for PHP is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3. When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key. ## Impact ### Background - Key Commitment There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an encrypted message can only be decrypted by one key; the key used to originally encrypt the message. In older versions of S3EC, when customers are also using a feature called "Instruction File" to store EDKs, key commitment is not implemented because multiple EDK...

## Summary S3 Encryption Client for Ruby is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3. When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key. ## Impact ### Background - Key Commitment There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an encrypted message can only be decrypted by one key; the key used to originally encrypt the message. In older versions of S3EC, when customers are also using a feature called "Instruction File" to store EDKs, key commitment is not implemented because multiple ED...

## Summary S3 Encryption Client for Go is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3. When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key. ## Impact ### Background - Key Commitment There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an encrypted message can only be decrypted by one key; the key used to originally encrypt the message. In older versions of S3EC, when customers are also using a feature called "Instruction File" to store EDKs, key commitment is not implemented because multiple EDK...

## Summary S3 Encryption Client for Java is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3. When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key. ## Impact ### Background - Key Commitment There is a cryptographic property whereby under certain conditions, a single ciphertext could be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an encrypted message can only be decrypted by one key; the key used to originally encrypt the message. In older versions of S3EC, when customers are also using a feature called "Instruction File" to store EDKs, key commitment is not implemented because multiple E...

## Summary S3 Encryption Client for .NET (S3EC) is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3. When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key. ## Impact ### Background - Key Commitment There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an encrypted message can only be decrypted by one key; the key used to originally encrypt the message. In older versions of S3EC, when customers are also using a feature called "Instruction File" to store EDKs, key commitment is not implemented because mul...

This week’s ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the next big breach could come from. From shifting infrastructures to clever social hooks, the week’s activity shows just how fluid the threat landscape has become. Here’s the full rundown of what

Threat actors wielding stolen AWS Identity and Access Management (IAM) credentials leverage Amazon EC and EC2 infrastructure across multiple customer environments.

A “purchase order” PDF blocked by Malwarebytes led to a credential-harvesting phishing site. So we analyzed the attack and where the data went next.

## Summary The `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows **unauthenticated arbitrary file read** during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. **Severity:** High **Attack Vector:** Network **Privileges Required:** None **Scope:** Development mode only (`vite dev`) --- ## Impact ### Who Is Affected? - **All developers** using `@vitejs/plugin-rsc` during development - Projects running `vite dev` with the RSC plugin enabled ### Attack Scenarios 1. **Network-Exposed Dev Servers:** When developers run `vite --host 0.0.0.0` (common for mobile testing), attackers on the same network can read files. 2. ~**XSS-Based Attacks:**~ ~If the application has an XSS vulnerability, malicious JavaScript can fetch sensitive files and exfiltrate them.~ 3. ~**Malicious Dependencies:** ~ ~A compromised npm package could incl...