MOST Google Cloud attacks now begin with bug exploitation rather than stolen credentials or misconfigurations, a trend highlighted in Robert Lemos’s March 13, 2026 Dark Reading piece.
The article notes that attacks on user-managed cloud software—such as the React2Shell attack targeting a flaw in React Server Components—outpaced software vulnerabilities as the most frequently exploited vector for initial access, with software-based entry and remote code execution flaws accounting for about 44% of initial-access activity in Google Cloud.
Crystal Lister of Google Cloud is quoted explaining that defenders’ focus on cloud hygiene has pushed attackers toward third-party, user-managed software running atop the cloud rather than the cloud infrastructure itself. The piece also cites Google’s semi-annual Cloud Threat Horizons Report and, outside Google’s environments, mentions identity-related vectors comprising a large share of initial-access activity, as observed in investigations by Google Mandiant.
For context, Palo Alto Networks’ Global Incident Response Report 2026 is invoked to note that identity-related factors appear in about two-thirds of initial access, reinforcing the shift away from credential abuse toward software exploitation.