Datadog, specializing in cloud security, reports that it has become a conditional victim of a recent incident with CircleCI.

According to the company, one of its RPM GPG signature keys and a passphrase have been disclosed.

Despite this, Datadog claims that it has not found any signs that the key was actually stolen or used for other purposes. The company says it has yet to find evidence.

However, after notifying CircleCI that an attacker had gained access to environment variables, tokens and client keys, Datadog released a new version of RPM Agent 5 for CentOS/RHEL, signed with a new key.

The company has also released a new Linux installation script that removes the vulnerable key from the Datadog repository file and the RPM database.

Datadog notes that even if an attacker manages to steal the signature key and create a malicious RPM package, he will not be able to use it to carry out attacks on clients, since access to official package repositories will be required.

In any case, Datadog decided to play it safe, because no less than CircleCI customers have already discovered unauthorized access to third-party systems after the company warned of the need to examine the environments for suspicious activity, starting from December 16, 2022.