Security research and incident response reporting highlighted how AI-enabled tactics are accelerating cloud compromise and expanding the blast radius into ML systems. Sysdig described an incident in which attackers used exposed credentials in public AWS S3 buckets to escalate from initial access to full administrative privileges in under 10 minutes, then moved laterally across identities, exfiltrated data from multiple AWS services, and injected malicious code into AWS Lambda. The activity also included attempts to monetize access by running AI workloads through Amazon Bedrock and attempting GPU hijacking in EC2, creating potential for significant cloud cost impact; AWS characterized the root cause as S3 misconfiguration/credential exposure rather than an AWS infrastructure flaw.
Mitiga reported a separate real-world investigation where a threat actor exploited a path traversal flaw in an AI-enabled file upload/summarization web application to overwrite production training data in an S3 bucket feeding an automated SageMaker retraining pipeline. The poisoned dataset introduced subtle label inconsistencies and a trigger pattern that, after retraining and deployment, enabled the attacker to reliably induce anomalous model behavior with crafted inputs—effectively a persistent training data poisoning compromise of a production AI endpoint. In contrast, Kiuwan’s post is primarily a general advisory on AI development supply-chain visibility risks (e.g., unvetted dependencies introduced by LLM coding assistants) and does not describe the same specific incidents or provide incident-specific indicators.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
On 2026-02-10, Sysdig disclosed details of the November 2025 AWS breach, warning that AI-enabled attacks are compressing intrusion timelines and increasing impact. AWS responded that the incident stemmed from S3 misconfiguration rather than an AWS infrastructure flaw and stressed basic cloud security hygiene.
On 2026-02-10, Mitiga published its analysis of the AI training pipeline compromise, describing it as an AI supply-chain attack in which a web application flaw cascaded into ML integrity failure. The report recommended layered controls around data integrity, IAM scoping, monitoring, and zero-trust network design.
The malicious dataset triggered retraining through S3 event notifications and EventBridge, resulting in a model with subtle label noise and an embedded trigger pattern being deployed to a live SageMaker endpoint. The backdoor allowed attacker-controlled false positives or false negatives when specially crafted inputs were submitted at inference time.
In a real-world incident disclosed by Mitiga, an attacker exploited a path traversal flaw in an AI-enabled file upload application to write a tampered dataset into a production S3 bucket. Overly broad IAM permissions allowed the poisoned data to reach an automated Amazon SageMaker retraining pipeline.
After obtaining administrative control in the November 2025 breach, the attackers moved laterally across identities, accessed sensitive data in multiple AWS services, injected malicious code into AWS Lambda functions, and attempted to run AI workloads through Amazon Bedrock and hijack EC2 GPU resources.
In November 2025, attackers used credentials exposed in public S3 buckets to gain initial access to an AWS environment and escalate to full administrative privileges in under 10 minutes. Sysdig said the activity showed signs of large language model assistance, including automated reconnaissance, code generation, and rapid decision-making.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.