Attackers used a combination of found credentials and artificial intelligence (AI) to gain administrative access to an Amazon Web Services (AWS) environment in less than 10 minutes. The incident demonstrates once again how AI is rapidly becoming a force multiplier for threat actors to move more quickly than ever. A threat actor gained initial access to the environment via credentials discovered in public Simple Storage Service (S3) buckets and then quickly escalated privileges during the attack, which moved laterally across 19 unique AWS principals, the Sysdig Threat Research Team (TRT) revealed in a report published Tuesday. Throughout the attack, which occurred on Nov. 28, 2025, the threat actor leveraged large language models (LLMs) to automate reconnaissance, generate malicious code, and make real-time decisions, according to researchers. In fact, it appears that using LLMs played a pivotal role in both the speed with which attackers operated and the agility with which they moved laterally, according to Sysdig.

Full report : The AI-assisted attack, which started with exposed credentials from public S3 buckets, rapidly achieved administrative privilges.