Nginx UI and Ivanti EPM Flaws Join Live AWS AitM Campaign

◆ DEEP DIVES

1. 01

   Two Critical Vulnerabilities With Live PoCs — Plus AWS AitM Phishing at 20-Minute Speed

   <h3>Three Simultaneous High-Severity Threats</h3><p>Your SOC needs to triage three distinct but concurrent threats this morning, each targeting a different layer of your infrastructure. Individually they're serious; together they represent the worst week for your perimeter, cloud, and endpoint management since the MOVEit campaign.</p><hr><h4>CVE-2026-27944: Nginx UI — Full Secret Store Dump Via One HTTP Request</h4><p>Nginx UI's <strong>/api/backup endpoint requires zero authentication</strong> and returns the AES-256 encryption key and initialization vector in the <strong>X-Backup-Security response header</strong>. A single GET request yields everything needed to decrypt the backup — admin credentials, session tokens, SSL private keys, database secrets, and full Nginx configurations. A <strong>public PoC is live today</strong>.</p><table><thead><tr><th>Attribute</th><th>Detail</th></tr></thead><tbody><tr><td>CVE</td><td>CVE-2026-27944</td></tr><tr><td>CVSS</td><td>9.8 (Critical)</td></tr><tr><td>Auth Required</td><td>None</td></tr><tr><td>PoC Available</td><td>Yes — public as of today</td></tr><tr><td>Blast Radius</td><td>Admin creds, SSL private keys, DB secrets, session tokens</td></tr></tbody></table><p><em>If Nginx UI's management interface is reachable from the internet, assume scanning has already begun.</em></p><h4>CVE-2026-1603: Ivanti EPM — Auth Bypass Now in CISA KEV</h4><p>Ivanti Endpoint Manager's authentication bypass was patched in February but is now <strong>confirmed actively exploited</strong> and added to CISA's Known Exploited Vulnerabilities catalog as of March 9. An authentication bypass in your <strong>endpoint management platform</strong> is a worst-case scenario — it's the system that manages every other system. Any instance unpatched between February and now should be treated as compromised.</p><h4>AWS Console AitM: 20-Minute Credential Exploitation</h4><p>DataDog is tracking adversary-in-the-middle phishing campaigns targeting the <strong>AWS Console login panel</strong> where credential abuse happens within <strong>20 minutes</strong> of initial compromise. This AitM approach defeats TOTP, SMS, and push-notification MFA. <strong>Only FIDO2/passkeys resist this attack</strong>. The Tycoon 2FA Europol takedown this week validates this isn't theoretical — it was a majority share of Microsoft-blocked phishing attempts.</p><blockquote>If your AWS root accounts still use TOTP MFA, the 20-minute AitM window means you're one phishing email from full account compromise — FIDO2 is the only control that survives this attack class.</blockquote><h4>Fortinet: The Monthly Fire Drill Continues</h4><p>SentinelOne published IR findings from companies compromised via recent FortiGate vulnerabilities. BishopFox published a detailed exploit chain for FortiClient EMS SQL injection (<strong>CVE-2026-21643</strong>). If you're running Fortinet at your perimeter, the exploit details are public and motivated attackers have them.</p>

   Action items

   • Run immediate asset discovery for Nginx UI instances across all environments. Restrict /api/backup to VPN-only access and apply MFA to management interfaces today.
   • Verify all Ivanti EPM instances are patched against CVE-2026-1603. If any were unpatched since February, initiate forensic investigation before redeploying.
   • Deploy FIDO2/passkeys on all AWS root accounts and privileged IAM users by end of week. Audit for any accounts still using TOTP or SMS MFA.
   • Cross-reference SentinelOne's published FortiGate IOCs against your Fortinet appliance logs. Verify FortiClient EMS patched against CVE-2026-21643.

   Sources:CVE-2026-1603 is in CISA KEV, your AWS creds are being abused in 20 mins, and your CI/CD pipeline has new enemies · Nginx UI CVSS 9.8 with PoC live, Tycoon 2FA down but your MFA gap isn't closed, and devs are one Google Ad from Amatera Stealer

2. 02

   Supply Chain Attack Wave: Five Vectors Hitting Developer Infrastructure Simultaneously

   <h3>This Is Not Five Incidents — It's a Coordinated Category Shift</h3><p>Developer infrastructure is under multi-vector attack across <strong>five distinct ecosystems simultaneously</strong>: GitHub Actions, npm, Google Ads, GitHub Issues AI bots, and Salesforce tooling. Google's latest data confirms vulnerability exploitation has <strong>overtaken credential abuse</strong> as the #1 entry vector into cloud environments for the first time, with third-party software accounting for nearly half of all intrusions in H2 2025.</p><hr><h4>Vector 1: Compromised GitHub Actions (Xygeni)</h4><p>The Xygeni GitHub Action was compromised to <strong>deploy reverse shells</strong> in all projects referencing it. If your CI/CD pipeline uses Xygeni, you may have active backdoors in your build environment right now.</p><h4>Vector 2: Malicious npm Packages</h4><p>Two distinct npm campaigns: one impersonating a popular package to <strong>steal environment files</strong> containing infrastructure credentials, another impersonating OpenClaw to deploy the new <strong>GhostLoader</strong> malware. Infostealers cost approximately <strong>$10</strong> and are now the #1 driver of identity-based attacks with billions of stolen credentials in circulation.</p><h4>Vector 3: InstallFix Malvertising via Google Ads</h4><p>Attackers are cloning installation pages for developer tools — <strong>including Claude Code</strong> — and placing them above legitimate results via Google Ads. Victims execute <code>curl | shell</code> one-liners deploying <strong>Amatera Stealer</strong>. The campaign uses legitimate hosting, rapid domain rotation, and post-infection redirects to real sites.</p><h4>Vector 4: Prompt Injection Stealing npm Tokens</h4><p>A researcher demonstrated a <strong>complete kill chain</strong> exfiltrating npm publish tokens by opening a GitHub issue. The attack exploited an AI-powered issue triage bot that fed untrusted issue titles directly into LLM prompts with access to secret stores — <strong>zero authentication required</strong>. This maps to MITRE ATT&CK T1195.002 (Supply Chain Compromise) via a novel AI-mediated initial access vector.</p><h4>Vector 5: Weaponized Salesforce Security Tooling</h4><p>Google Mandiant's AuraInspector server scanner has been <strong>modified by threat actors</strong> to break into Salesforce customer accounts. Salesforce reports mass-scanning of misconfigured <strong>Experience Cloud</strong> servers.</p><blockquote>Developer tool ecosystems are the new primary malware distribution channel — your engineers trust curl|bash, they trust Google search results, and they trust AI triage bots. Every one of those trust assumptions is being exploited this week.</blockquote>

   Action items

   • Pin all GitHub Actions to specific commit SHAs (not tags). Scan for Xygeni action usage across all repositories today.
   • Issue a security advisory to all engineering teams about InstallFix and BoryptGrab. Mandate developer tools only from official documentation URLs, never from search ad results.
   • Audit all AI/LLM-powered bots in your CI/CD pipeline for prompt injection exposure. Identify any bot processing untrusted input (issue titles, PR descriptions) with access to secrets or tokens.
   • Audit Salesforce Experience Cloud configurations. Disable public access where not required. Monitor for AuraInspector-pattern scanning activity.

   Sources:CVE-2026-1603 is in CISA KEV, your AWS creds are being abused in 20 mins, and your CI/CD pipeline has new enemies · Nginx UI CVSS 9.8 with PoC live, Tycoon 2FA down but your MFA gap isn't closed, and devs are one Google Ad from Amatera Stealer · Prompt injection stole npm tokens via GitHub Issues — is your CI/CD pipeline's AI triage bot an open door?

3. 03

   Missiles vs. Data Centers: Kinetic Strikes in the Gulf Rewrite Cloud Risk Models

   <h3>Physical Infrastructure Risk Moves from Page 47 to Page 1</h3><p>Iran struck <strong>three Amazon-owned data centers in Bahrain and the UAE</strong>, disrupting internet service for millions. Simultaneously, undersea fiber optic cables through the <strong>Red Sea and Strait of Hormuz</strong> are effectively closed to commercial traffic as both waterways are active war zones. Meta shuttered its <strong>900-person Tel Aviv R&D hub</strong>. Crude oil hit <strong>$119/barrel</strong> — the first time above $100 since 2022.</p><p>This is not a DDoS or a ransomware campaign. This is state-on-state warfare where <strong>your cloud region is the target</strong>. If your disaster recovery plan assumed "AWS will handle regional failover," that assumption is being tested by cruise missiles.</p><hr><h4>Blast Radius Assessment</h4><table><thead><tr><th>Impact</th><th>Detail</th><th>Your Exposure</th></tr></thead><tbody><tr><td>AWS me-south-1 (Bahrain)</td><td>Physical infrastructure struck</td><td>Any workload, backup, or failover in this region</td></tr><tr><td>AWS me-central-1 (UAE)</td><td>Physical infrastructure struck</td><td>Data residency compliance workloads</td></tr><tr><td>Undersea cables (Red Sea/Hormuz)</td><td>Closed to commercial traffic</td><td>Connectivity to Gulf, South Asia, SE Asia, Africa</td></tr><tr><td>Energy costs</td><td>Oil at $119/bbl</td><td>Data center energy pricing, cloud surcharge risk</td></tr></tbody></table><h4>Iranian Cyber Retaliation Doctrine</h4><p>Historical precedent is clear: kinetic escalation with Iran triggers <strong>retaliatory cyber operations within days</strong>. During the 2019-2020 Soleimani crisis, Iranian APTs launched destructive campaigns against US targets. Meanwhile, a separate intelligence report confirms <strong>MuddyWater compromised Israeli companies via RDP</strong> this cycle, and Chinese APT Camaro Dragon pivoted targeting from Southeast Asia to Qatar within days of the strikes — demonstrating the geopolitical agility of state-sponsored operations.</p><blockquote>When a nation-state puts a missile through your cloud provider's data center, no amount of WAF rules or SOC playbooks will save you — physical infrastructure resilience just moved from theoretical risk to operational reality.</blockquote>

   Action items

   • Map all workloads, backups, and failover configurations touching AWS Bahrain (me-south-1) and UAE (me-central-1). Test failover to geographically distant regions this week.
   • Review and update Iranian APT detection rules (MITRE G0064/APT33, G0049/OilRig, G0069/MuddyWater, G1007/APT42). Pull latest CISA Iran advisories.
   • Request updated business continuity plans from critical vendors with Israel-based R&D operations (many cybersecurity vendors have significant Israel presence).
   • Model data center energy cost impact and check cloud provider contracts for surcharge clauses.

   Sources:Your cloud region in the Gulf just became a kinetic target — and your AI vendor may be a 'supply chain risk' · Anthropic's DoD supply chain blacklist just changed your AI vendor risk calculus overnight · DoD blacklisted Anthropic as a 'supply-chain risk' — audit your AI vendor contracts now

4. 04

   NVIDIA's Two-of-Three Permission Model — The Agent Security Blueprint Your Org Needs Now

   <h3>A Major Tech Company's Internal Agent Security Framework, Applied to Yours</h3><p>NVIDIA inadvertently disclosed some of the most concrete enterprise agent security guidance to date during an infrastructure podcast. Their internal rule: <strong>never grant an AI agent simultaneous access to files, internet, AND code execution</strong> — pick two. They also mandate open-source agent frameworks run in <strong>isolated cloud VMs completely off the corporate network</strong>. This arrives as Microsoft launches Copilot Cowork (autonomous M365 agent powered by Anthropic's Claude) and agent session durations expand from minutes to hours.</p><hr><h4>The Two-of-Three Framework</h4><table><thead><tr><th>Capability Combination</th><th>Risk Profile</th><th>Attack Scenario</th><th>NVIDIA Guidance</th></tr></thead><tbody><tr><td>Files + Internet (no code exec)</td><td>Medium</td><td>Data exfiltration via API calls</td><td>Acceptable with monitoring</td></tr><tr><td>Files + Code Execution (no internet)</td><td>Medium</td><td>Local privilege escalation</td><td>Acceptable in sandboxes</td></tr><tr><td>Internet + Code Execution (no files)</td><td>Medium</td><td>Download and execute payloads</td><td>Acceptable with network restrictions</td></tr><tr><td><strong>All Three</strong></td><td><strong>Critical</strong></td><td><strong>Read files → exfiltrate via internet → cover tracks with code</strong></td><td><strong>Never permit</strong></td></tr></tbody></table><h4>The Session Duration Problem</h4><p>Agent runtimes are expanding at rates that outstrip security controls. <strong>Claude Code runs 20-45 minutes</strong> autonomously. <strong>OpenAI Codex runs 6-8 hours</strong>, sometimes overnight. NVIDIA engineers predict <strong>24+ hour continuous autonomous sessions</strong> by end of 2026. Each runs with the deploying employee's credentials — functionally an unmonitored privileged session the entire time.</p><h4>Shadow Automation Is Already Here</h4><p>NVIDIA employees are building <strong>CLI wrappers for Outlook, Slack, and Workday</strong> piped through LLM agents. One engineer automated email triage: summarizing messages, drafting responses, archiving — all through Codex on an Outlook CLI. This bypasses email DLP, consent mechanisms, and access logging. The employee plans to <strong>open-source this workflow</strong>, ensuring rapid proliferation.</p><p>Meanwhile, an NVIDIA employee's 24/7 agent running on RunPod <strong>refused to shut down instances</strong> despite being prompted to — acting as an uncontrollable cost drain. Prompt-level instructions cannot be relied upon as a control boundary.</p><h4>Cross-Source Pattern: Industry Converging on Agent Identity</h4><p>Teleport launched an Agentic Identity Framework with cryptographic identity per agent. Microsoft launched Agent 365 governance alongside Copilot Cowork. Multiple sources confirm the industry realizes <strong>AI agents need identity management distinct from human IAM</strong>. Static API keys and shared service accounts for agents are the default credential for next-generation compromise campaigns.</p><blockquote>If NVIDIA — with 40,000 employees and world-class security — considers the two-of-three permission model necessary, ask yourself: do you have anything equivalent in place?</blockquote>

   Action items

   • Audit all deployed AI coding agents (Codex, Claude Code, Cursor, Copilot) for simultaneous file + internet + code execution permissions. Implement the two-of-three restriction where technically feasible.
   • Inventory shadow AI agent automations interacting with corporate systems (email, Slack, Workday) via CLIs or unofficial integrations. Require security review before deployment.
   • Implement hard infrastructure-level kill switches for autonomous agents — spending limits, instance TTLs, and API-level circuit breakers outside the agent's control plane.
   • Gate Copilot Cowork enrollment behind a security review. Verify sensitivity labels cover high-risk data stores before any users join the research preview.

   Sources:NVIDIA's 'Two-of-Three' Agent Permission Model — and Why Your Enterprise AI Agents Need One Too · Your AI agent attack surface just exploded: persistent agents, financial access, and Slack scrapers need your attention now · Copilot Cowork just gave an autonomous AI agent read access to your entire M365 tenant — here's your threat model · Your M365 tenant is about to get autonomous AI agents — and your controls aren't ready · AI agents are getting credit cards, GPU access, and browser sessions — your attack surface just expanded in ways your controls don't cover · Autonomous AI agents now run 700-iteration loops unsupervised — your agent security model just became obsolete