Back

Kubernetes Cluster Compromised via Leaked AWS Credentials

Severity: High (Score: 66.5)

Sources: Blog.Gitguardian, www.virusbulletin.com

Published: 2026-05-20 · Updated: 2026-05-20

Keywords: kubernetes, threat-intel, reports, cloud, leaked, secrets, impact

Summary

Recent incidents highlight a significant threat to Kubernetes clusters, where attackers exploited leaked AWS IAM credentials from developer workstations. This allowed them to deploy poisoned Docker images, facilitating lateral movement within the cloud environment. The attack chain aligns with known MITRE ATT&CK techniques, including credential theft and resource hijacking. In one case, attackers accessed sensitive registry credentials, which could lead to further breaches across multiple organizations. The Shai-Hulud supply chain attack exemplifies this risk, emphasizing the need for robust security measures. The current status indicates that while some attacks were detected in time, the potential for widespread damage remains high. Organizations are urged to implement private container registries and limit credential access to mitigate risks. Key Points: • Attackers exploited leaked AWS IAM credentials to compromise Kubernetes clusters. • Poisoned Docker images were deployed, allowing lateral movement and data theft. • Mitigations include using private registries and enforcing read-only credentials.

Detailed Analysis

**Impact** At least 44 active Kubernetes clusters were compromised, including production environments with over 200 nodes. Approximately 30% of these clusters had leaked credentials exposed for more than two years, affecting sectors reliant on cloud infrastructure globally. Attackers accessed sensitive data such as AWS IAM credentials, Kubernetes secrets, private Docker Hub images, and GitHub repositories, risking lateral movement across cloud accounts and potential resource hijacking. **Technical Details** Attackers obtained AWS credentials from developer or DevOps workstations, exploiting leaked Kubernetes secrets (TLS, JWT, Docker config JSON) to access clusters. The attack chain follows MITRE ATT&CK: T1552.001 → T1078.004 → T1610 → T1496, involving credential theft, valid account use, container deployment, and resource hijacking. Poisoned container images were deployed for lateral movement and secret harvesting. Valid JWTs were predominantly found on Docker Hub, and registry credentials often had excessive permissions, enabling broad access. **Recommended Response** Revoke and rotate all exposed AWS and registry credentials immediately, especially those associated with decommissioned clusters. Enforce least privilege by using read-only credentials scoped narrowly to required registries and repositories. Monitor for unusual container deployments and validate Kubernetes secrets regularly, removing any publicly exposed credentials. Employ private container registries and implement automated secret scanning in CI/CD pipelines to detect leaks early.

Source articles (2)

  • Threat-intel reports — www.virusbulletin.com · 2026-05-20
    Kubernetes (k8s) is an orchestration system for automating software deployment, scaling and management, and if you don’t know… this is really hot right now. When implemented in a cloud environment, it…
  • Leaked Kubernetes Secrets: Impact Assessment and Mitigation Strategies — Blog.Gitguardian · 2026-05-20
    Threat-intel reports from recent years document campaigns in which attackers obtain AWS IAM credentials from developer workstations, use them to enumerate cloud accounts and access Kubernetes clusters…

Timeline

  • Recent — Kubernetes cluster infection reported: Attackers compromised an AWS Kubernetes cluster via leaked AWS credentials from a DevOps workstation, deploying malicious Docker images.
  • Recent — Shai-Hulud supply chain attack: This attack harvested Kubernetes credentials from CI and developer workstations, enabling similar attack chains.

Related entities

  • Supply Chain Attack (Attack Type)
  • Shai-hulud (Malware)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1078.004 - Cloud Accounts (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1496 - Resource Hijacking (Mitre Attack)
  • T1552.001 - Credentials In Files (Mitre Attack)
  • T1610 - Deploy Container (Mitre Attack)
  • ACR (Platform)
  • Docker Hub (Platform)
  • ECR (Platform)
  • GitHub (Platform)
  • Gitlab (Platform)
  • Kubernetes (Platform)
  • Quay (Platform)
  • AWS (Company)
  • Azure (Company)
  • Docker (Tool)
  • Curl (Tool)
  • Jq (Tool)
  • Kubectl (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed