short story:
> vulnerability in next.js via npm + pm2
> attacker gets access to my server
> finds my aws IAM credentials
> starts spinning up EC2 instances with shutdown prevention
> rack up $2,100 in charges in ONE DAY
thankfully AWS had my back and refunded it, even though it was my fault
moral of the story: even the most widely used open source projects can have insane security holes in them, make sure to monitor your shit, set limits, budgets and so on
> vulnerability in next.js via npm + pm2
> attacker gets access to my server
> finds my aws IAM credentials
> starts spinning up EC2 instances with shutdown prevention
> rack up $2,100 in charges in ONE DAY
thankfully AWS had my back and refunded it, even though it was my fault
moral of the story: even the most widely used open source projects can have insane security holes in them, make sure to monitor your shit, set limits, budgets and so on
