2026-06-01 –, Room 1
Automation platforms and AI agents have become the high-privilege nervous system of the modern enterprise. This session deconstructs a multi-stage exploit chain that began in a sandboxed Python environment and escalated to a full platform account takeover (ATO).
We reveal why the common assumption that Python’s del keyword sanitizes environment variables is a dangerous fallacy, demonstrating the recovery of "orphaned" STS tokens directly from the Lambda heap via /proc/self/mem. We then detail a technique for API-only ECR image extraction that circumvents Docker runtime monitoring to uncover hardcoded Model Context Protocol (MCP) keys and high-privilege NPM tokens. The chain concludes with a Stored XSS via dependency poisoning of a core design system, impacting the authenticated sessions of over 8,000 third-party integrations.
Attendees will leave with a technical checklist for auditing AI "code block" features and strategies for identifying orphaned secrets in serverless memory.
I’m Yair Balilti, Security Research Team Leader at Token Security. With over 8 years of experience in vulnerability research and offensive security, I now lead my team in uncovering vulnerabilities and securing AI-driven products. I’m passionate about exploring the intersection of cloud-native threats and the evolving AI landscape. When I’m not auditing models or breaking cloud internals, you'll likely find me on a quest for the city’s best burger.