Release Date: 27/07/2025 | Issue: 298
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

The Cost of CVEs Report 2025

CVEs aren’t just security risks, they’re an expensive, ongoing drain on resources. Chainguard’s new report reveals how vulns are costing orgs millions each year. From patch cycles and downtime to compliance overhead and incident response, the report breaks down the true, often overlooked, financial impact of vuln management. Based on data from top security and eng teams, it quantifies the costly toll of chasing CVEs.
The takeaway? Patching everything isn’t scalable.
It’s time for upstream strategies that eliminate CVEs before they reach production.

Read the report

This week's articles


PoisonSeed downgrading FIDO key authentications to fetch user accounts
Attack group PoisonSeed has recently found a way to downgrade FIDO key authentication in a new social engineering tactic via cross-device sign-in.   #attack   #iam


How we automated GitHub Actions Runner updates with Claude
How to use Claude Code to automate the process of updating ARM64 patches and reviewing dozens of commits just to keep GitHub Actions runner images in sync.   #ai   #build   #ci/cd


Introducing OSS Rebuild: Open Source, Rebuilt to Last
Google introduced OSS Rebuild, a project aimed at strengthening trust in open source package ecosystems by reproducing upstream artifacts to detect and prevent supply chain attacks.   #announcement   #build   #supply-chain


Zigazoo too, Another Firebase Boogaloo
Zigazoo, a social network for kids, has been found to have significant security vulnerabilities, including unauthorized access to user records, content, and account escalation, all related to Firebase.   #attack   #gcp


Searching for Secrets in Public GCP Images
Truffle Security scanned 8,400+ public GCP images and did not find a single exposed secret.   #attack   #gcp


Amazon Q: Now with Helpful AI-Powered Self-Destruct Capabilities
A hacker exploited a vulnerability in Amazon Q, an AI coding assistant, by submitting a malicious pull request that instructed the tool to delete files and cloud resources.   #ai   #attack


ToolShell Exploit Targets SharePoint Servers
New ToolShell exploit chain targets SharePoint via CVE-2025-53770/53771. This post reveals how it works, who's at risk, and how to detect and respond fast.   #attack   #defend   #saas


Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload
Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which they dubbed Soco404.   #attack   #defend

Tools


kcp
Kcp is a prototype of a multi-tenant Kubernetes control plane for workloads on many clusters.


sigma-cli
The Sigma command line interface based on pySigma.


iam-convert
Convert JSON IAM Policies to other formats.


platform-template
Template for deploying Workers for Platforms with subdomain routing and custom hostnames.


Get-AzWebAppTokens
PowerShell function for extracting credentials from Azure App Services applications that have integrated Entra ID authentication. You can also refer to the companion blog post.

From the cloud providers


#AWS   Implement monitoring for Amazon EKS with managed services
This solution demonstrates building an EKS platform that combines flexible compute options with enterprise-grade observability using AWS native services and OpenTelemetry.


#GCP   How to enable Secure Boot for your AI workloads
Secure Boot can help protect AI from the moment GPU-accelerated workloads power up. Here's how to use it on Google Cloud.


#AZURE   Introducing Microsoft Sentinel data lake
Sentinel data lake, rolling out in Public Preview, giving security teams a powerful, cost-effective way to unify, retain, and analyze all security data.


#AZURE   Important Update to the Get-FederationInformation Cmdlet in Exchange Online
Going forward, the DomainNames field will no longer return all federated domain information. Instead, it will only include the domain information that is passed as the parameter.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini