1K
Downloads
32
Episodes
Stay ahead of the latest cybersecurity trends with Cyberside Chats! Listen to our weekly podcast every Tuesday at 6:30 a.m. ET, and join us live once a month for breaking news, emerging threats, and actionable solutions. Whether you’re a cybersecurity professional or an executive looking to understand how to protect your organization, cybersecurity experts Sherri Davidoff and Matt Durrin will help you stay informed and proactively prepare for today’s top cybersecurity threats, AI-driven attack and defense strategies, and more!
Join us on August 27th for our next interactive Cyberside Chats: Live! on Betrayal, Backdoors and Payback: When Hackers Become The Hacked!
Episodes
Tuesday Aug 05, 2025
Tuesday Aug 05, 2025
A silent compromise, nearly a million developers affected, and no one at Amazon knew for six days. In this episode of Cyberside Chats, we’re diving into the Amazon Q AI Hack, a shocking example of how vulnerable our software development tools have become.
Join hosts Sherri Davidoff and Matt Durrin as they unpack how a misconfigured GitHub token allowed a hacker to inject destructive AI commands into a popular developer tool. We’ll walk through exactly what happened, how GitHub security missteps enabled the attack, and why this incident is a critical wake-up call for supply chain security and AI tool governance.
We’ll also spotlight other supply chain breaches like the SolarWinds Orion backdoor and XZ Utils compromise, plus AI tool mishaps where “helpful” assistants caused real-world damage. If your organization uses AI developer tools—or works with third-party software vendors—this episode is a must-listen.
Key Takeaways:
▪ Don’t Assume AI Tools Are Safe Just Because They’re Popular
Amazon Q had nearly a million installs—and it still shipped with malicious code. Before adopting any AI-based tools (like Copilot, Q, or Gemini), vet their permissions, access scope, and how updates are managed.
▪ Ask Your Software Vendors About Their Supply Chain Security
If you rely on third-party developers or vendors, request details on how they manage build pipelines, review code changes, and prevent unauthorized commits. A compromised vendor can put your entire environment at risk.
▪ Hold Vendors Accountable for Secure Development Practices
Ask whether your vendors enforce commit signing, use GitHub security features (like push protection and secret scanning), and apply multi-person code review processes. If they can't answer, that's a red flag.
▪ Be Wary of Giving AI Assistants Too Much Access
Whether it’s an AI chatbot that can write config files or a developer tool that interacts with production environments, limit access. Always sandbox and monitor AI-integrated tools, and avoid letting them make direct changes.
▪ Prepare to Hear About Breaches From the Outside
Just like Amazon only found out about the malicious code in Q after security researchers reported it, many organizations won’t catch third-party security issues internally. Make sure you have monitoring tools, vendor communication protocols, and incident response processes in place.
▪ If You Develop Code Internally, Lock Down Your Build Pipeline
The Amazon Q hack happened because of a misconfigured GitHub token in a CI workflow. If you’re building your own code, review permissions on GitHub tokens, enforce branch protections, and require signed commits to prevent unauthorized changes from slipping into production.
#Cybersecurity #SupplyChainSecurity #AItools #DevSecOps #AmazonQHack #GitHubSecurity #Infosec #CybersideChats #LMGSecurity
No comments yet. Be the first to say something!