2026-05-28 · aws-security
AWS's latest security post focuses on one of the most common ways modern systems get compromised: the software supply chain. The article uses recent npm incidents, including Shai-Hulud and axios, to show how quickly a single compromised package can spread into developer environments and CI/CD systems. The core message is simple: if attacker-controlled code can reach your build path, your secrets and infrastructure are at risk. That makes offline key storage, short-lived credentials, and strict secret handling part of the same defense story.
AWS published a detailed set of best practices for software supply chain security after multiple notable npm attacks. The post explains how phishing, compromised maintainer accounts, and malicious package releases can turn a normal dependency update into an intrusion path. It also ties the guidance to the AWS Well-Architected Security Pillar.
Supply chain compromise is expensive because it often starts with trusted tooling and ends with leaked credentials, stolen cloud access, or poisoned deployments. Once a CI/CD pipeline or developer machine is touched, the blast radius can reach repositories, cloud accounts, and production systems. Recovery is slow because teams must assume the attacker may have copied secrets or planted persistence.
Cold storage does not solve package compromise, but it does eliminate one major failure mode: exposed long-lived keys. AWS recommends temporary credentials, least privilege, and centralized secret storage instead of static secrets in code or local config files. The same principle applies to high-value crypto or custody keys: keep signing material offline, minimize exposure windows, and make compromise harder to turn into permanent loss.
Read Original Post →