InfoQ Homepage Cloud Security Content on InfoQ
-
Open Source Security Tool Trivy Hit by Supply Chain Attack, Prompting Urgent Industry Response
A major security incident affecting the widely used open source vulnerability scanner Trivy has exposed critical weaknesses in software supply chain security, after maintainers confirmed that a malicious release was briefly distributed to users.
-
Cloudflare Adds Active API Vulnerability Scanning to Its Edge
Cloudflare has announced the open beta of its Web and API Vulnerability Scanner. This Dynamic Application Security Testing (DAST) tool is part of the API Shield platform.
-
Kubescape 4.0 Brings Runtime Security and AI Agent Scanning to Kubernetes
Version 4.0 of the open source Kubernetes security platform Kubescape has been released, bringing runtime threat detection and a new set of AI-era security features. This is the first time the project has targeted the security of AI agents themselves, alongside its established scanning capabilities.
-
HashiCorp Vault 1.21 Brings SPIFFE Authentication, Granular Secret Recovery, and More
HashiCorp has released Vault 1.21. This version introduces native SPIFFE authentication for non-human workloads, expands the granular secret recovery model introduced in Vault 1.20, and adds KV v2 secret attribution, MFA TOTP self-enrollment, a Vault Secrets Operator CSI driver that mounts secrets directly into pods without persisting them in etcd, and more.
-
AWS Launches Managed Openclaw on Lightsail amid Critical Security Vulnerabilities
AWS launched managed OpenClaw on Lightsail for AI agent deployment while security concerns mount. The 250k-star GitHub project is affected by CVE-2026-25253, which enables one-click RCE, with 17,500+ vulnerable instances exposed. Bitdefender found 20% of ClawHub skills malicious. AWS blueprint provides automated hardening, but doesn't address architectural security limits.
-
Standardizing Post-Quantum IPsec: Cloudflare Adopts Hybrid ML-KEM to Replace Ciphersuite Bloat
Cloudflare has extended hybrid post-quantum encryption to IPsec and WAN traffic, standardizing its SASE stack ahead of the NIST 2030 deadline. By adopting a streamlined ML-KEM key exchange, the move addresses long-standing "ciphersuite bloat" in quantum-resistant IPsec. The update aims to neutralize "harvest now, decrypt later" threats without requiring specialized hardware upgrades.
-
Teleport Launches Agentic Identity Framework to Secure AI Agents across Enterprise Infrastructure
Teleport recently unveiled the Teleport Agentic Identity Framework, a new AI-centered security model designed to help enterprises safely deploy autonomous and semi-autonomous AI agents across cloud and on-premises environments.
-
CloudFront Adds Origin mTLS Authentication for End-to-End Zero Trust
Amazon CloudFront now supports mutual TLS authentication for origin servers, completing end-to-end zero-trust authentication from viewers to backends. The feature replaces IP allowlists and shared secrets with cryptographic verification, proving particularly valuable for multi-cloud deployments, where origins can verify that traffic originated from CloudFront without VPN tunnels.
-
Two Missing Characters: How a Regex Flaw Exposed AWS GitHub Repos to Supply-Chain Risk
AWS recently published a security bulletin acknowledging a configuration issue affecting some popular AWS-managed open-source GitHub repositories. Dubbed CodeBreach, the critical vulnerability could have resulted in the introduction of malicious code and hijacking of the repositories leveraging AWS CodeBuild.
-
Cloudflare Scales Infrastructure as Code with Shift-Left Security Practices
Cloudflare has eliminated manual configuration errors across hundreds of production accounts by implementing Infrastructure as Code with automated policy enforcement, processing approximately 30 merge requests daily while catching security violations before deployment rather than after incidents occur.
-
AWS Introduces VPC Encryption Controls to Enforce Encryption in Transit
AWS has recently introduced VPC Encryption Controls, allowing customers to validate whether traffic within and between VPCs is encrypted and to require encryption where supported. The feature provides visibility into unencrypted traffic, supports enforcement using compatible Nitro-based infrastructure, and allows exclusions for resources that cannot encrypt traffic.
-
MongoBleed Vulnerability Allows Attackers to Read Data from MongoDB's Heap Memory
MongoDB recently patched CVE-2025-14847, a vulnerability affecting multiple supported and legacy MongoDB Server versions. According to the disclosure, the flaw can be exploited remotely by unauthenticated attackers with low complexity, potentially leading to the exfiltration of sensitive data and credentials.
-
Docker Makes Hardened Images Free in Container Security Shift
Docker has made its catalogue of more than 1,000 hardened container images freely available under an open source licence. Docker Hardened Images were previously a commercial offering launched in May 2025, but are now accessible to all developers under an Apache 2.0 licence with no restrictions on use or distribution.
-
AWS and Google Cloud Preview Secure Multicloud Networking
In a surprising move, AWS and Google Cloud have recently partnered to simplify multicloud networking, introducing a common standard and leveraging "AWS Interconnect - Multicloud" and "Google Cloud's Cross-Cloud Interconnect". The new option makes it easier for organizations to manage and secure workloads across both clouds, with Azure expected to join in 2026.
-
Azure API Management Premium v2 GA: Simplified Private Networking and VNet Injection
Microsoft has launched API Management Premium v2, redefining security and ease-of-use in cloud API gateways. This new architecture enhances private networking by eliminating management traffic from customer VNets. With features like Inbound Private Link, availability zone support, and custom CA certificates, users gain unmatched networking flexibility, resilience, and significant cost savings.