Nothing Was Hacked. Everything Was Taken.

Hand an AI agent one leaked AWS key — the low-privilege, throwaway kind a CI pipeline spills every week — and tell it to take what it can reach. Then walk away. More often than not, about a minute later and with nobody at the keyboard, it's reading your customer data.

Nothing was hacked to get there. No exploit, no CVE, no unpatched server. Every credential it touched was valid; every API call was one AWS was built to answer. For thirty years a leaked key was only the opening of an attack — the slow part a human had to be awake for, the gap where security teams live and fast rotation wins the race. That gap just collapsed to about a minute.

In May 2026, a researcher named Adan Álvarez ran a simple test. He took a single low-privilege AWS key — the kind a CI/CD pipeline leaks all the time — and handed it to an AI coding agent with one instruction: act as a penetration tester, find what you can reach. No human at the keyboard after that. The agent did the rest. More than half the time, it walked the entire chain to the customer data — in about a minute, unattended.

What actually happened

The setup was deliberately ordinary. The leaked key belonged to a low-privilege build user. On its own, it couldn't touch customer data. But it could read a Terraform state file. That state file held a second set of keys. Those keys could assume a role. That role could read the customer bucket.

This is how almost every real cloud account is shaped — not one fortress wall, but a chain of small, reasonable trust relationships, each link sensible on its own. A human attacker untangles that chain slowly, by hand. The agent untangled it in about sixty seconds.

The successful runs followed the same six steps every time: confirm who the key belongs to, list what it's allowed to do, recover the second set of credentials from the staging bucket, assume the privileged role, find the data, take it. Across twelve runs on two models, seven reached exfiltration. Most finished in roughly a minute [1].

And this isn't only a lab result. In November 2025, Sysdig's threat research team watched the same shape play out in the wild: valid AWS keys exposed in a public bucket, a Lambda function quietly rewritten to mint administrative credentials, lateral movement across nineteen separate identities — all in eight minutes [2][3]. The injected code bore the fingerprints of a model: tidy exception handling, iterative targeting logic, comments in more than one language.

This is not AWS being weak

Here is the part that should keep you up at night: nothing was hacked.

No exploit. No CVE. No buffer overflow, no unpatched server. Every credential was valid. Every API call was one AWS was built to answer. As Sysdig put it, the credentials were legitimate and the APIs were used exactly as intended [3]. AWS did its job perfectly.

The assumption that broke wasn't AWS's security. It was an older, quieter one underneath it: that a leaked key is only as dangerous as the attention an attacker can spare for it. For thirty years that held. Exploiting a credential took a human — time, skill, patience. That cost was a real part of your defense, even though nobody drew it on the architecture diagram.

Agents drive that cost to roughly zero. The patience is infinite. The skill is rented by the minute. The attacker can be asleep.

It isn't only AWS

Nothing here is specific to Amazon. The same chain runs anywhere a credential can be used to discover the next credential: a cloud key that can list its own permissions, a token in a .env file that another process can read, a secret in a state file, a vault token sitting on disk next to the code. Any harness — a coding agent, an MCP server you installed last week — can be the thing that walks the chain, with or without your blessing.

The common thread is that the secret carries its own blast radius. It can be read where the work happens, it can enumerate what it touches, and it works from anywhere. Those three properties were survivable when attacks were slow and manual. They are not survivable at agent speed.

Built for this, on purpose

So we built the opposite, deliberately.

A Clavitor credential is reachable only by the name the agent was given — it cannot list the store, so it cannot draw the map. The secret value never lands where the code runs; the agent gets the result of using the credential, not the credential itself. Each one is bound to the machine and scope it was issued for, so a copy carried off to a laptop is dead weight. And every request is written to an immutable, hash-chained, off-endpoint log — the evidence PCI DSS Req 10 and NIST 800-171 (3.3.8) ask for — so even a perfectly "valid" action has a name attached to it.

Here is the honest edge: this does not make a leaked credential harmless. Scope a key to one bucket, and if that key leaks, an attacker gets that one bucket. What it kills is the chain — the part where one ordinary key becomes the map to everything else. Scoped versus ambient isn't the difference between safe and breached. It's the difference between an incident and a catastrophe.

We wrote down the handful of rules a credential tool should keep if it wants to survive this. You can run yours down them at clavitor.ai/rules.

The lesson isn't "rotate faster"

You cannot out-rotate a sixty-second attack. By the time the canary fires, the chain has already run.

The takeaway isn't a tighter cleanup drill. It's that the economics flipped. We built credential systems for a world where the attacker's time was scarce and expensive — where a leaked key was a race you could win. That world is gone. A credential that can find the next credential isn't a convenience anymore. It's the whole attack, pre-written, waiting for any key to fall.

Build for the world where the attacker never sleeps. It's already here.

Clavitor (@clavitorai) is the credential vault built for AI agents, and against them. clavitor.ai

Sources

[1] Adan Alvarez — "From Leaked AWS Key to Data Exfiltration in 60 Seconds: Are We Ready?" (May 2026) — https://medium.com/@adan.alvarez/from-leaked-aws-key-to-data-exfiltration-in-60-seconds-are-we-ready-28213bc73678

[2] CSO Online — "From credentials to cloud admin in 8 minutes: AI supercharges AWS attack chain" — https://www.csoonline.com/article/4126336/from-credentials-to-cloud-admin-in-8-minutes-ai-supercharges-aws-attack-chain.html

[3] Vectra AI — "AWS Compromised by AI Agents in Minutes" (Alex Groyz) — https://www.vectra.ai/blog/aws-compromised-by-ai-agents-in-minutes

[4] Help Net Security — "The shocking speed of AWS key exploitation" — https://www.helpnetsecurity.com/2024/12/02/revoke-exposed-aws-keys/