AWS is implicated in two separate campaigns this period: the reported APT41 credential harvesting operation targeting cloud IAM credentials and metadata API abuse (unconfirmed, secondary source), and the confirmed ShinyHunters supply chain attack where stolen Anodot tokens were used to access Amazon S3 buckets and Amazon Kinesis streams belonging to Anodot customers. The ShinyHunters exposure is confirmed with active data exfiltration; any organization using Anodot as an analytics integrator with S3 or Kinesis access should treat token revocation as an immediate containment action. For the APT41 campaign, audit CloudTrail for IMDSv1 metadata API calls, anomalous AssumeRoleWithWebIdentity events, and outbound DNS lookups to typosquatted amazonaws.com variants, and monitor CISA and AWS for authoritative confirmation.