Google Cloud Threat Horizons H1 2026: Software Flaws Now Outrank Stolen Credentials

For years, weak or missing credentials topped every cloud breach report. That pattern broke in the second half of 2025. Attackers shifted hard toward exploiting unpatched third-party software - particularly remote code execution (RCE) vulnerabilities in externally exposed applications.

The numbers tell the story clearly:

• 44.5% of cloud intrusions started with a third-party software vulnerability (up from 2.9% in H1 2025)
• 27.2% of intrusions used weak or absent credentials (down from 47.1%)
• The exploitation window collapsed from weeks to days after public vulnerability disclosure
• Threat actors deployed cryptocurrency miners within 48 hours of the React2Shell (CVE-2025-55182) disclosure in December 2025

Google attributes part of this shift to improved credential hygiene across cloud platforms. As default protections around passwords and MFA got stronger, attackers pivoted to the next weakest link: unpatched applications sitting on public-facing infrastructure. And they're using AI to find those weak spots faster than ever.

Crystal Lister, who leads the Threat Horizons Report program at Google Cloud, put it plainly: the team has observed a fundamental shift in how attackers operate. The traditional reliance on credential theft is giving way to automated exploitation of application-layer flaws. For Katy and West Houston businesses running cloud workloads, this means your patching speed is now your most important security metric.

Even though software exploits now lead the pack, identity compromise still drives most intrusions involving cloud and SaaS environments. What changed is how attackers are getting those identities. Traditional email phishing hasn't gone away, but voice-based phishing (vishing) is now playing a central role.

• Vishing campaigns target help desks and end users directly - attackers impersonate internal staff or support personnel to pressure employees into resetting credentials and changing MFA settings
• OAuth token theft from third-party applications enables access without traditional login events, bypassing credential-based defenses entirely
• MFA fatigue tactics continue alongside credential harvesting from third-party SaaS tokens
• Non-human credentials including service account keys and developer tokens exposed in code repositories are being actively targeted

The concerning pattern here is that these attacks produce access that looks legitimate inside identity systems. When someone calls your help desk pretending to be an employee and convinces them to reset an MFA token, there's no malware signature to detect. No exploit to patch. It's a human problem disguised as a technology one.

The Threat Horizons Report H1 2026 findings on insider threats should worry any business that handles confidential information. Data theft remains the dominant form of insider misconduct, but the methods are changing fast.

• Personal cloud storage is the fastest-growing exfiltration channel - insiders are using services like Google Drive, Dropbox, and OneDrive personal accounts to move data outside organizational controls
• Multiple exfiltration methods appear in most insider cases, combining email, cloud storage, and removable media
• Data theft during and after employment is common - some insiders accessed and removed data during both periods
• Email as an exfiltration method is declining, while cloud-to-cloud data theft is projected to become the primary channel

For Houston businesses in wealth management, engineering, and oil and gas, this is a direct threat. An employee with legitimate access to sensitive project data, client financials, or proprietary engineering designs can move that data to a personal cloud account with a few clicks. Most small and mid-sized businesses don't have data loss prevention (DLP) tools that can detect this in real time.

The report makes clear that organizations need visibility into how data moves between corporate and personal cloud environments. That's not something you solve with a firewall. It takes a combination of DLP policies, cloud access security brokers, and - critically - offboarding procedures that revoke access immediately when someone leaves.

Two trends in the report deserve special attention: AI-assisted attacks and supply chain compromise that escalates into cloud infrastructure.

Mandiant researchers documented an intrusion that started with a compromised npm package and ended with full administrative control over production cloud resources. The attack chain tells you a lot about where things are heading:

• A trojanized npm package harvested environment data and authentication tokens from a developer workstation
• A stolen GitHub personal access token gave attackers access to source code repositories
• Attackers abused a GitHub-to-cloud OpenID Connect trust relationship to obtain temporary cloud credentials
• An overly permissive cloud role allowed deployment of new infrastructure and creation of admin privileges
• The malware used an LLM tool on the compromised endpoint to identify files of interest - a clear example of AI-assisted reconnaissance

That last point is worth pausing on. Threat actors are now using large language models to automate the tedious parts of an intrusion - scanning files, identifying credentials, figuring out which data to steal. Google's recommendation: treat LLM activity on your systems with the same scrutiny you'd apply to someone running administrative command-line tools. Because functionally, that's what it is.

North Korean state-backed groups also showed up in the report. UNC4889 used social engineering and living-off-the-cloud techniques to move from a compromised developer workstation into Kubernetes workloads, eventually stealing millions in cryptocurrency. They modified Kubernetes deployment configurations to execute attacker-controlled commands in newly created pods - an approach that's difficult to detect without dedicated container security monitoring.

The report also flagged that 2026 events including geopolitical conflicts, the FIFA World Cup, and U.S. midterm elections will likely provide cover for high-volume social engineering and DDoS attacks targeting cloud-hosted services.

The report's recommendations boil down to a few key actions that every business - not just enterprise organizations - should be taking today.

• Automate patching for internet-facing applications. Manual patch cycles that run weekly or monthly aren't fast enough anymore. If you can't patch within 48 hours of disclosure, deploy WAF rules to block known exploit patterns while you work on the update.
• Audit your identity perimeter. Review how your help desk verifies identity before resetting credentials or MFA tokens. Implement callback verification procedures. Check for orphaned service account keys and developer tokens in code repositories.
• Implement cloud DLP controls. If you don't have visibility into data moving between corporate and personal cloud storage, you have a blind spot that insiders are increasingly exploiting.
• Lock down CI/CD trust relationships. Review OpenID Connect trust configurations between GitHub, GitLab, and your cloud providers. Apply least-privilege principles to cloud roles that CI/CD pipelines can assume.
• Treat LLM activity as you would admin tools. If AI tools are running on your endpoints or in your cloud environment, monitor them for unusual behavior - the same way you'd monitor PowerShell or command-line usage.
• Protect forensic capabilities. Attackers are actively deleting logs, snapshots, and forensic artifacts. Make sure your log data is stored in immutable, separate environments that can survive a compromise of your primary cloud account.

CinchOps is a managed IT services provider based in Katy, Texas, serving small and mid-sized businesses across the Houston metro area. CinchOps specializes in cybersecurity, network security, managed IT support, VoIP, and SD-WAN for businesses with 10-200 employees.

The findings in this report aren't theoretical for us. We deal with exactly these kinds of threats every month across our client base in Houston, Katy, Sugar Land, Cypress, and across the West Houston corridor. In 30 years building IT systems for businesses, the pattern hasn't changed: companies that invest in prevention spend a fraction of what companies spend on recovery.

• Automated patch management that keeps your internet-facing applications updated within hours of critical vulnerability disclosure - not days or weeks
• Identity and access management including MFA enforcement, help desk verification protocols, and regular access reviews across your cloud and on-premise environments
• Cloud security monitoring that detects unusual API activity, configuration changes, and unauthorized access attempts across AWS, Azure, and Google Cloud
• Data loss prevention policies and tools that give you visibility into how sensitive data moves inside and outside your organization
• Business continuity and disaster recovery planning with immutable backup storage that survives even a full cloud account compromise
• Security awareness training that specifically addresses vishing, social engineering, and the identity-based attacks documented in this report

Your cloud provider secures their infrastructure. They don't secure your applications, your identity configuration, or your employees' behavior. That gap between what the cloud provider covers and what you're responsible for is exactly where attackers live. Talk to CinchOps about closing that gap.