AWS admin privileges in 8 minutes with LLM assistance

Goal? LLMjacking and GPUjacking. Token mining is the new cryptomining.

Sysdig Threat Research Team (TRT) just published a report about an attack on an AWS environment featuring LLM use for recon, the classic "old credentials in a public S3 bucket" issue, and LLMjacking and GPUjacking as the objectives.

Highlights:

• Initial access came from exposed credentials in a public S3 bucket, tied to AI workflows and discoverable via predictable naming.
• The attacker moved fast, with indicators suggesting LLMs helped automate reconnaissance, generate code, and make next-step decisions in real time.
• Privilege escalation used a serverless path, including Lambda update and code injection style activity, until administrative access was achieved.
• Post-compromise behavior aligned with monetization through AI and compute abuse, including Bedrock usage and GPU instance provisioning.

My take:

1. LLMs are predictably collapsing the attacker timeline. Recon, planning, and iteration that used to take hours now happen in minutes.
2. Pressure to implement AI in enterprises is surfacing basic security failures, especially in organizations without secure-by-design infrastructure.
3. Expect more LLMjacking and GPUjacking. This is starting to look like cryptomining, except tokens are the new currency.

Sources:

AI-Assisted Cloud Intrusion Achieves Admin Access in 8 Minutes