Security researchers at Sysdig warn that attackers can quickly take over AWS environments using large language models. Their latest analysis shows that AI is already being used to automate cloud attacks, accelerate them, and make them harder to detect. The Sysdig Threat Research Team bases these conclusions on an attack that began on November 28, 2025. In this case, an attacker gained initial access and escalated to full administrator rights within an AWS account in less than ten minutes.
The Sysdig Threat Research Team said they observed the break-in on November 28, and noted it stood out not only for its speed, but also for the "multiple indicators" suggesting the criminals used large language models to automate most phases of the attack, from reconnaissance and privilege escalation to lateral movement, malicious code writing, and LLMjacking - using a compromised cloud account to access cloud-hosted LLMs.
Your AWS account could be quietly running someone else's cryptominer. Cryptocurrency thieves are using stolen Amazon account credentials to mine for coins at the expense of AWS customers, abusing their Elastic Container Service (ECS) and their Elastic Compute Cloud (EC2) resources, in an ongoing operation that started on November 2. The illicit cryptocurrency-mining campaign abuses compromised valid AWS Identity and Access Management (IAM) credentials with "admin-like privileges" - it doesn't exploit a vulnerability -