Release Date: 15/03/2026 | Issue: 329
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

When your CEO calls, will you know it's real?
Today's phishing attacks involve AI voices, videos, and deepfakes of company executives. Adaptive Security is the first security awareness platform built to stop AI-powered social engineering.
Adaptive protects your team with:
  • AI-driven risk scoring that reveals what attackers can learn from public data
  • Deepfake attack simulations featuring your own executives
  • Interactive, customizable training content
See the Interactive Demo

This week's articles


When an AI agent came knocking: Catching malicious contributions in Datadogโ€™s open source repos
How Datadog discovered malicious issues and PRs in two of their public repositories as the result of attacks by hackerbot-claw, an AI agent designed to target GitHub Actions and LLM-powered workflows.


Bucketsquatting is (Finally) Dead
AWS introduced account-regional namespaces for S3 (<prefix>-<accountid>-<region>-an) to eliminate bucketsquatting, where attackers claim deleted bucket names.


Under the hood: Security architecture of GitHub Agentic Workflows
GitHub Agentic Workflows secure AI agents in GitHub Actions via a three-layer architecture (substrate, configuration, planning), enforcing container isolation, zero-secret agent access, write-buffering with vetted safe outputs, firewall-controlled egress, and comprehensive boundary logging.


The MCP AuthN/Z Nightmare
An analysis of MCP AuthN/Z security challenges: attack vectors (tool poisoning, prompt injection, command injection), OAuth2/SSO vulnerabilities in remote deployments, and critical flaws in the proposed enterprise JAG extension.


Behind the console: Active phishing campaign targeting AWS console credentials
Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure.

Tools


Google Workspace CLI
Official command-line tool for Drive, Gmail, Calendar, Sheets, Docs, Chat, Admin, and more.


nord-stream
Nord Stream is a tool that allows you to extract secrets stored inside CI/CD environments by deploying malicious pipelines.


portless
Replace port numbers with stable, named local URLs. For humans and agents.


trajan
A multi-platform CI/CD vulnerability detection and attack automation tool for identifying security weaknesses in pipeline configurations. You can also check out the companion blog post.


rtk
CLI proxy that reduces LLM token consumption by 60-90% on common dev commands.


bromure
Secure, ephemeral browsing in a disposable VM (macOS only).

From the cloud providers


#AWS   Introducing account regional namespaces for Amazon S3 general purpose bucket
AWS launches a new feature of Amazon S3 that lets you create general purpose buckets in your own account regional namespace simplifying bucket creation and management as your data storage needs grow in size and scope.


#GCP   Google Cloud minimum viable secure platform
A checklist of items that Google recommends to obtain a minimum viable secure platform on Google Cloud.

Upcoming Events


CONF   RSAC 2026 Conference
Mar 23-26, 2026 | San Francisco, United States

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini