Datadog Changes RPM Signing Key Exposed in CircleCI Hack

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Jan 16, 2023 09:31 pm PST

Datadog, a cloud security company, reports that a recent CircleCI security incident exposed one of its RPM GPG signing keys and its passphrase. The business has yet to discover proof that this key has been compromised or misused.

Datadog stated that as of January 16th, 2023, it had no proof that the key was actually leaked or misused. Still, out of an abundance of caution, it was nevertheless taking the following steps. Datadog has issued a new version of its Agent 5 RPM for CentOS/RHEL.

Signed with a new key in response to CircleCI’s announcement that the threat actor took customers’ environment variables, tokens, and keys from its databases. The business has also issued a fresh Linux install script that deletes the problematic key from the RPM and Datadog repositories.

Datadog Assures That Its Repos Are Unaffected

Even if the attacker were to successfully obtain the signing key and create a malicious RPM package, according to Datadog, they would still need access to the official package repositories in order to utilize it to attack the company’s customers.

“The legitimate Datadog repositories were unaffected. If the signing key were to be genuinely released, it could be used to create an RPM package that appears to be from Datadog, but that alone would not be sufficient to add it to our official package repository “said Datadog.

The created RPM package needs to be uploaded to a system repository by a hypothetical attacker who possesses the compromised key. Customers are encouraged to make sure that their systems stop believing the compromised key, and if they still do, to remove the key and check that Datadog created all installed copies following the steps found here.

This information was posted by Datadog as a “Frequently Asked Question” on its documentation page; however, it isn’t placed next to the other FAQs on the business’ website. Additionally, Datadog added the “noindex” and “nofollow” tags to its metadata.

The announcement from Datadog comes after CircleCI said on Friday one of its systems had been compromised by malware on a laptop belonging to an engineer.

Malware On Employee’s Laptop Exploited

Early in January, CircleCI made its initial security problem disclosure and advised all clients to rotate their secrets and tokens. The attackers used a 2FA-backed SSO session cookie from the employee’s compromised device to log into the software business’s internal systems and steal client secrets; the software company said last week.

The business said that “unauthorized access to third-party systems” had already been discovered by a few of its customers (“fewer than 5”), and it advised clients to start looking into their environments for unusual behavior on December 16, 2022.

CircleCI discovered on January 4, 2023, that malware installed on an engineer’s laptop on December 16 had been exploited to steal a 2FA-backed SSO session, giving the attackers access to the business’s internal systems.

According to its study, the virus was able to steal session cookies, which allowed the attackers to pose as the targeted employee from a distance and get access to a portion of its production systems.

Hackers were able to “access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys” by using the hacked employee account to create production access tokens. According to CircleCI, the attackers conducted a survey on December 19 and exfiltrated the confidential data on December 22.

The third-party “extracted encryption keys from a running process, enabling them to access the encrypted data potentially,” the company stated. “Though all the data exfiltrated was encrypted at rest.”

“We encourage customers who have not yet taken action to do so to prevent unauthorized access to third-party systems and stores,” the blog concluded. CircleCi had asked its customers to rotate all secrets stored in its systems. “These can be stored in project environment variables or in contexts.”


Based on data provided by Datadog, a cloud security provider, a recent security breach at CircleCI resulted in releasing one of the company’s RPM GPG signing keys along with its passphrase. The company has stated that it has not found any evidence to suggest that this key has been stolen or used in an unauthorized manner. The announcement from Datadog comes after CircleCI said on Friday that one of its systems had been compromised by malware on a laptop belonging to an engineer.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Kevin Bocek
Kevin Bocek , VP Security Strategy & Threat Intelligence
InfoSec Expert
January 18, 2023 11:04 am

“Another day, another software supply chain attack. It’s clear that this type of threat isn’t going away. Targeting a developer tool and delivery platform, like CircleCI, was clearly intended to fly under the radar and slip into other development environments. In this case, they were able to gain access to Datadog’s environment meaning that its RPM GPG signing machine identities were exposed. Fortunately, Datadog has responded quickly to rotate the impacted identities and it doesn’t appear that they’ve been abused. But if an attacker had seized this opportunity, then it would have given them a very powerful weapon – potentially allowing them to spread across Datadog’s customer networks by enabling them to sign and send malware while appearing completely trusted. This could have had serious repercussions.

“This incident demonstrates the growing risk of attacks targeted at developers, machine identities and modern development pipelines. When combined with the speed of modern development, widespread use of automation and use of the cloud, an attacker with access to powerful machine identities can create ripples fast which are extremely hard to protect against or remediate. In a machine-driven world, having a control plane to manage the lifecycle of your machine identities is essential. As this incident shows, you can be doing all the right things and still find yourself exposed. All businesses – whether they be a software publisher, or a consumer of software – need to be able to automate controls that say who and what can and can’t be trusted, and to have the agility to respond to change.”

Last edited 4 months ago by Kevin Bocek

Recent Posts

Would love your thoughts, please comment.x