The Shocking Speed of AWS Key Exploitation

December 9, 2024

It is not an uncommon phenomenon for developers working for major enterprises to inadvertently expose their AWS access keys, and it is not uncommon for threat actors to discover this and take advantage, with keys being scraped to gain unauthorized access to sensitive assets. What has changed in recent years is the speed at which these exposures are being taken advantage of. A group of security researchers recently put this to the test, and the results are interesting to examine. The test was simple: sets of AWS keys were put together and intentionally leaked on a number of common platforms. These platforms included GitHub and GitLab, Docker Hub, npm, PyPI, Crates.io, Pastebin, Stack Overflow, Quora, and Reddit. These platforms were then tracked to see how long it took for the keys to be discovered and used.

The results showed that AWS keys leaked on GitHub and DockerHub were found and exploited within minutes. Keys leaked on PyPI or Pastebin were exploited within hours. Most of the others were found within 1 to 5 days, and the keys revealed on npm were apparently never touched. These test results indicate the presence of an extensive automated infrastructure that is constantly dragging the major sources for secrets. According to the researchers, the speed of exploitation on GitHub was so fast that it necessarily implies automation rather than opportunism. This speed of exploitation is particularly worrying because it operates even faster than AWS’s automatic quarantine, making it possible for threat actors to log into sandboxed cloud environments, engage in reconnaissance, escalate privileges, and establish a persistence within the network before the credentials can be locked down. In the long run, new protocols are going to have to be created to address this problem, but for now, the key to protecting AWS keys must be continuous detection and swift action.

More from Blackwired

September 10, 2025

Stealthy attack serves poisoned web pages only to AI agents

New AI browser attack targets agents via hidden prompts, exploiting unique agent fingerprints to deliver invisible malicious code.

Read more
September 3, 2025

First AI-Powered Ransomware Created Using OpenAI's gpt-oss:20b Model

PromptLock is an AI-powered ransomware PoC using LLMs to generate dynamic, hard-to-detect, cross-platform attacks.

Read more
August 27, 2025

Chinese Hackers Silk Typhoon Escalate Cloud and Telecom Espionage

Silk Typhoon targets cloud via zero-days, supply chains, and trusted ties; monitor edge, patch fast to detect and defend.

Read more