Permiso's got a write-up on an attacker targeting what appears to be public jupiter notebooks to steal AWS creds (but not all victims are on AWS and the infection vector is unknown). https://permiso.io/blog/s/christmas-cloud-cred-harvesting-campaign/