AWS security expert Nick Frichette noted on X: “These TAs [threat actors] were invoking a number of APIs which only appear in the console. They don't appear in the SDKs, nor the CLI. You might ask, ‘Nick, are these undocumented APIs?’. Well no, they do appear in documentation. For example, if you Google "GetFoundationModelAvailability" you do find some info from AWS… AWS developers commonly package API models as strings that we can extract using regexes,” Frichette commented.