Remember that AWS credentials are easy to lock down. At the very least you could add an ACL to only let them be used on your AWS instances. Then you can set up alerts if someone attempts to use them outside.
But wouldn’t any host running the malicious package be vulnerable to having creds stolen from that host? Maybe I don’t know which “ACL” tech you’re referencing. You can limit where credentials are used from, and not just something like where an S3 bucket is read from? (For example)
You can set a permission that says “these credentials can only be used on an aws instance owned by this account”
Even if the creds are stolen they’d need access to an instance in your account to use them. Also you can be alerted if someone attempts to use them anywhere else.
There are very few situations where it even makes sense to have static credentials on an AWS instance any more. "Ambient" short-lived credentials from the instance profile and assumed roles are much safer.
In the article they claim the package is literally stealing the IAM role credentials from the EC2’s metadata URL. So it’s presumed that the code is already running on your EC2.
Of course, just because it takes the credentials doesn’t mean it does anything else with them, but it could have done anything.
