Release Date: 14/09/2025 | Issue: 305
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Search years of logs in seconds & eliminate SIEM blindspots

Scanner is the world’s fastest, easiest, and most scalable security data lake allowing you to search petabytes of logs in seconds, reduce risk by eliminating SIEM coverage blindspots, and deploy in a day - all while maintaining full custody of your data. Scanner is up to 700X faster than Athena and 70-80% less expensive than legacy SIEMs.

Learn more about How Scanner Works

This week's articles


Widespread npm Supply Chain Attack: Breaking Down Impact & Scope Across Debug, Chalk, and Beyond
A deeper look at the npm debug/chalk supply-chain incident: deobfuscating the wallet-hijacking browser interceptor, quantifying the ~2-hour exposure with Wiz telemetry (~99% package prevalence, ~10% malware presence), and unpacking what made it spread so fast.   #attack   #defend   #supply-chain


Introducing the MCP Registry
This post announces the launch of MCP Registry, an open catalog and API for discovering MCP servers. It standardizes server distribution, allows creation of sub-registries, and includes community-driven moderation features.   #announcement   #ai


From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover
Exposed cloud credentials become the launchpad for mass phishing, highlighting email services as a prime target in cloud exploitation campaigns.   #aws   #attack


Understanding OAuth application attacks and defenses
Red Canary's Threat Hunting team recently investigated an incident that illustrates how stealthy and patient an OAuth application attack can be.   #attack   #saas


SharePoint Online as a Weapon: Offensive Tactics in Microsoft 365 Collaboration
This post touches the structured attack chain mapped to the SharePoint Online Attack Matrix, showcasing how to move from access to impact using native features, minimal noise, and a whole lot of cloud-native mischief.   #attack   #defend   #saas


GitHub Actions: A Cloudy Day for Security - Part 1
This article discusses securing GitHub Actions CI/CD pipelines against contributors with repository access, covering script injection prevention, branch protections, secrets management, environment security, and tag protection best practices.   #ci/cd   #github   #attack


Copilot Broke Your Audit Log, but Microsoft Won’t Tell You
This article reveals a vulnerability in Microsoft 365 Copilot where users could access files without generating audit log entries by simply asking Copilot to omit file links. Microsoft fixed but chose not to disclose this issue.   #ai   #azure   #attack


Ghost in the Script: Impersonating Google App Script projects for stealthy persistence
Exploring the risks of Google Apps Script abuse, from cryptomining to stealthy service accounts, and ways to detect misuse.   #gsuite   #attack   #defend   #monitor


GCP Workload Identity Federation with AWS ECS Tasks
GCP Workload Identity Federation does not support AWS ECS tasks out of the box. Here is why and what you can do about it.   #aws   #gcp   #iam   #containers

Sponsor

MCP & AI Agents: Powerful, but Risky

MCP & AI agents boost productivity—but what stops them from deleting prod data or leaking sensitive info? AI agents powered by MCP are transforming work—but without the right safeguards, they can expose sensitive data, overstep permissions, and create audit blind spots. This post by Boris Kurktchiev, Dylan Souvage, and Thierno Diallo explains how an identity-first model with Teleport + AWS brings Zero Trust, just-in-time access, and full visibility to enterprise AI.

Learn how to secure MCP at scale

Tools


findmytakeover
Find dangling domains in a multi cloud environment.


DetectPack-Forge
Turn plain-English behaviors or small log samples into production-ready detection packs — Sigma, KQL (Sentinel), and SPL (Splunk) — with tests and a short response playbook, all mapped to MITRE ATT&CK.


badpie
Proof-of-concept Python package index/mirror proxy tool. You can also refer to the companion blog post.


Inboxfuscation
An offensive & defensive framework for mailbox rule obfuscation and detection in Exchange environments.

From the cloud providers


#AWS   Overview of security services available in AWS Dedicated Local Zones
Dedicated Local Zones provide a robust solution for running regulated workloads for all industries, to meet strict data residency and digital sovereignty, integrating services like AWS Nitro System, AWS KMS External Key Store, ACM, AWS Shield, Amazon GuardDuty, Amazon Inspector, and AWS CloudTrail.


#AZURE   Azure mandatory multifactor authentication: Phase 2 starting in October 2025
Multifactor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants in March 2025. Now, Azure is announcing the start of Phase 2 MFA enforcement at the Azure Resource Manager layer, starting October 1, 2025.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini