Announcements on 61418

elhaz will be featured during fwd:cloudsec North America 2026 conference

Thu, 28 May 2026 15:25:08 -0400

Alex Smolen will be presenting at fwd:cloudsec North America 2026 in Bellevue, Washington on June 1st. Notably, Alex’s presentation will feature elhaz as he walks the audience through local AI-sandboxing.

Big thanks to Alex for featuring 61418’s work!

61418 will be attending fwd:cloudsec North America 2026. Come and say hello!

elhaz featured in the latest TL;DR Sec newsletter

Sat, 09 May 2026 20:01:26 -0400

elhaz appeared in the latest TL;DR Sec newsletter on May 7th, 2026.

This is the second time that a project maintained by 61418 has been featured in TL;DR Sec, the first time being boto3-refresh-session on June 5th, 2025’s newsletter. For that, we want to thank Clint Gibler for bringing attention to 61418’s projects, as well as Alex Smolen for his research into agent-credential isolation using elhaz.

elhaz featured in EngSecLab's blog for securely sandboxing AI agents

Mon, 27 Apr 2026 22:58:57 -0400

Alex Smolen of EngSecLabs released a wonderful blog post earlier today that is absolutely worth reading.

There has been a lot of discussion lately among security professionals about how to isolate AI agents from AWS credentials. In the above-linked blog post, Alex’s solution is to cleverly mount a Docker container with the Unix socket maintained by elhaz, install elhaz and the AWS CLI inside of that container, and create an AWS profile with a credential process which ingests temporary credentials emitted by the elhaz export command. Alex’s technique places firm policy + identity guardrails around any agent sandboxed by that container, effectively treating elhaz as a credential proxy. In the post, Alex also mentions a tool named TrailTool, which he maintains, which he uses to actively monitor AWS actions by agents and institute an intent-based approach to permissioning.

boto3-refresh-session influenced new features in AWS CLI v2

Mon, 13 Apr 2026 13:33:54 -0400

In September 2025, AWS released v2.30.3 of AWS CLI v2, which is the developer version of the AWS CLI.

Among many new features included in v2.30.3, the aws configure command was updated in two different ways:

The creation of a mfa-login command
The introduction of a aws_session_token parameter

boto3-refresh-session, among other projects maintained by different open source maintainers focused on AWS credentials and identity, influenced the creation of those new features. These features improve the experience of working with temporary credentials and OTP’s locally.

elhaz has been added to 61418's catalog

Sun, 22 Mar 2026 09:21:15 -0400

elhaz was written by Mike Letts and officially released by 61418 on March 22nd, 2026.

elhaz is a local AWS credential broker daemon exposed over a Unix socket.

Instead of a locally hosted HTTP metadata emulation service (ECS), which requires multiple processes for each assumed RoleArn, elhaz runs a single process (which accepts multiple concurrent connections) and serves automatically refreshed temporary AWS credentials on demand.

It caches AWS sessions for however long the daemon is kept alive, which eliminates redundant session initializations and STS calls.

61418's application for a PyPI organization was approved

Sun, 15 Mar 2026 09:20:15 -0400

We are proud to announce 61418’s application for an organization on PyPI was approved.

Going forward, all projects maintained by 61418 will be owned and stored by 61418’s organization on PyPI instead of individual user accounts.

boto3-refresh-session has been transferred to 61418

Fri, 06 Mar 2026 05:20:11 -0500

boto3-refresh-session was written by Mike Letts in February 2025, and it was transferred to 61418’s catalog on March 6th, 2026.

Since releasing, boto3-refresh-session has been downloaded approximately 185K times on PyPI, adopted and used by large companies like Netflix (at an enterprise scale), and featured in TL;DR Sec and CloudSecList. Notably, boto3-refresh-session also uses boto3-client-cache as a dependency.

boto3-refresh-session fills a niche but underserved need in the AWS ecosystem, specifically for developers using the AWS Python SDK (boto3). Although boto3 automatically refreshes temporary AWS credentials when authenticated using an AWS profile, this is not so in serverless environments where AWS profiles are untenable and/or impractical, among various other scenarios. Not every developer runs into this problem; however, those who have run into this problem historically were forced to refresh temporary credentials themselves. boto3-refresh-session standardizes an out-of-the-box solution to this gap. More, by leveraging boto3-client-cache, developers managing multiple sessions and many different clients/resources can also worry less about memory management due to duplicative client/resource objects and slow initialization times.

boto3-client-cache has been transferred to 61418

Mon, 02 Mar 2026 03:08:26 -0500

61418 is proud to announce its first project to enter the catalog: boto3-client-cache.

boto3-client-cache is a concurrency-safe, bounded cache for boto3 clients and resources with deterministic identity semantics and support for LRU and LFU eviction policies. It was created by Mike Letts and officially transferred to 61418 in late February 2026. It is also a core dependency for boto3-refresh-session.

This project was added to 61418’s catalogue because it brings clear value to everyone using the AWS Python SDK (boto3) due to the lack of native client and resource caching in boto3 (as mentioned below).

boto3-refresh-session featured in the latest TL;DR Sec newsletter

Thu, 05 Jun 2025 20:09:52 -0400

boto3-refresh-session appeared in the latest TL;DR Sec newsletter on June 5th, 2025.

Thank you for featuring 61418’s work, Clint Gibler!

boto3-refresh-session featured in the latest CloudSecList newsletter

Sun, 01 Jun 2025 20:09:52 -0400

boto3-refresh-session appeared in the latest CloudSecList newsletter on June 1st, 2025.

Thank you for featuring 61418’s work, Marco Lancini!