Product
This brief details how attackers can leverage compromised AWS credentials to inject malicious, base64-encoded scripts into Amazon SageMaker notebook lifecycle configurations, which then execute as root on notebook instances, enabling persistence, credential theft, or further compromise of the AWS environment.