Supply chain
β Supply Chain
Datadog RPM Signing Key Exposed via CircleCI Breach
Primary Source βIncident Details
In January 2023, Datadog disclosed that its RPM (Red Hat Package Manager) signing key used to sign Datadog age
nt packages had been exposed in the CircleCI breach. CircleCI’s January 2023 breach involved malware on a Circ
leCI engineer’s laptop stealing a session token, allowing attackers to access customer environment variables a
nd secrets stored in CircleCI pipelines. Datadog used CircleCI for CI/CD and stored the RPM signing key as an
environment variable. Datadog immediately rotated the signing key and released new package versions. Users wer
e advised to verify package signatures and update to versions signed with the new key. While Datadog stated th
ere was no evidence the key was misused to sign malicious packages, the exposure required precautionary remedi
ation across all Datadog agent deployments using RPM packages.
Technical Details
- Initial Attack Vector
- CircleCI's January 2023 breach (malware on engineer laptop stole session token) allowed attackers to access CircleCI customer secrets; Datadog's RPM package signing key was stored in CircleCI CI/CD environment variables and was exposed
- Vendor / Product
- CircleCI CI/CD platform (customer secrets/environment variables)
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2023-01-01 Breach occurred
- 2023-01-01 Publicly disclosed