[cromd]

But wouldn’t any host running the malicious package be vulnerable to having creds stolen from that host? Maybe I don’t know which “ACL” tech you’re referencing. You can limit where credentials are used from, and not just something like where an S3 bucket is read from? (For example)

[ed25519FUUU]

You can set a permission that says “these credentials can only be used on an aws instance owned by this account”

Even if the creds are stolen they’d need access to an instance in your account to use them. Also you can be alerted if someone attempts to use them anywhere else.

[jhugo]

There are very few situations where it even makes sense to have static credentials on an AWS instance any more. "Ambient" short-lived credentials from the instance profile and assumed roles are much safer.

[bloopernova]

Exactly. My assumed roles last an hour and are protected by MFA.

[noahmasur]

In the article they claim the package is literally stealing the IAM role credentials from the EC2’s metadata URL. So it’s presumed that the code is already running on your EC2.

Of course, just because it takes the credentials doesn’t mean it does anything else with them, but it could have done anything.