Brief #127: AWS Multi-Service Outage, AI MCP Command Injection, Microsoft Deputy CISO Model

Happy Sunday!

In this week's brief:

AWS suffered a major outage when a DNS race condition in DynamoDB brought down multiple services across US-EAST-1, showing how cascading failures can impact entire cloud regions
GlassWorm malware is targeting VS Code extensions using invisible Unicode characters and an unkillable blockchain-based command structure that's nearly impossible to take down
Microsoft deployed 14 Deputy CISOs to handle security across their massive organization, offering insights into how large enterprises are restructuring security leadership

A quick note before we dive in.

Industry News

A race condition in DynamoDB's automated DNS management system caused the regional endpoint to resolve to an empty record, preventing new connections to the service from 11:48 PM on October 19 to 2:40 AM on October 20, 2025. The bug occurred when two DNS Enactors processed plans simultaneously, with one applying an outdated plan that was then deleted by cleanup processes, leaving the system in an inconsistent state requiring manual intervention.
The DynamoDB outage cascaded to cause EC2 instance launch failures lasting until 1:50 PM on October 20 due to the DropletWorkflow Manager's dependency on DynamoDB for maintaining server leases. When leases timed out, the system entered congestive collapse and couldn't establish new droplet leases, requiring engineers to throttle incoming work and selectively restart DWFM hosts to recover capacity.
Multiple AWS services including Lambda, ECS, EKS, Fargate, Connect, STS, IAM authentication, Redshift, and Support Console experienced significant disruptions, with some services like Connect experiencing busy tones and failed connections, while Redshift clusters remained in "modifying" states that prevented query processing even after DynamoDB recovery.

Researchers discovered the first self-propagating worm targeting VS Code extensions on OpenVSX marketplace, affecting 10,711 installations across seven compromised extensions. The malware uses invisible Unicode characters to hide malicious code that becomes completely transparent in code editors and bypasses traditional code review processes.
GlassWorm employs an unkillable command and control infrastructure using the Solana blockchain as its primary C2 server, with Google Calendar as backup. This immutable, decentralized approach makes takedowns impossible while enabling dynamic payload updates for less than a penny per transaction.
The final payload transforms infected developer workstations into criminal infrastructure through SOCKS proxy servers, hidden VNC access, and peer-to-peer communication channels. The worm harvests credentials from 49 cryptocurrency wallet extensions, NPM tokens, and GitHub credentials to automatically spread to additional packages and extensions.

Researchers found that a single weaponized URL can hijack Perplexity's Comet AI browser to steal sensitive data from connected services like Gmail and Calendar without requiring credential phishing, simply by tricking users into clicking a malicious link.
The attack exploits URL parameters to force the AI to prioritize user memory over web searches, then instructs it to encode stolen data in base64 format and POST it to attacker-controlled servers, effectively bypassing Perplexity's built-in exfiltration protections.
Despite LayerX's responsible disclosure in August 2025, Perplexity marked the findings as "Not Applicable," highlighting the emerging security risks of agentic browsers where AI assistants have trusted access to personal and corporate data sources.

Member-Only Content

Get instant access to this article and the Mandos Brief - your weekly 10-minute security leadership update.

Already a member? Sign in