Eslam Salem
@netcodex.bsky.social
Manager, security research @ Datadog | he/him | Chess lover | Blackhat speaker |
ex Sqreen.io, Shieldfy.io | my website: https://eslam.io
ex Sqreen.io, Shieldfy.io | my website: https://eslam.io
Our team tracked down a malicious campaign in NPM deploying Vidar stealer. This is the first time we see Vidar stealer distributed via supply chain attack.
securitylabs.datadoghq.com/articles/mut...
#npm #malware #supplychainattack
securitylabs.datadoghq.com/articles/mut...
#npm #malware #supplychainattack
MUT-4831: Trojanized npm packages deliver Vidar infostealer malware | Datadog Security Labs
Analysis of a threat actor campaign targeting Windows users with Vidar infostealer malware via malicious npm packages
securitylabs.datadoghq.com
November 6, 2025 at 12:50 PM
Our team tracked down a malicious campaign in NPM deploying Vidar stealer. This is the first time we see Vidar stealer distributed via supply chain attack.
securitylabs.datadoghq.com/articles/mut...
#npm #malware #supplychainattack
securitylabs.datadoghq.com/articles/mut...
#npm #malware #supplychainattack
I'm in love with claude code. The way it handles code writing and automates bash tasks is amazing and so convenient to me.
if you are an experienced developer, know what you are doing, the tasks that usually take Weeks. You will be able to do it in Hours 🤯🤯 #claudecode #ai
if you are an experienced developer, know what you are doing, the tasks that usually take Weeks. You will be able to do it in Hours 🤯🤯 #claudecode #ai
September 13, 2025 at 5:22 PM
I'm in love with claude code. The way it handles code writing and automates bash tasks is amazing and so convenient to me.
if you are an experienced developer, know what you are doing, the tasks that usually take Weeks. You will be able to do it in Hours 🤯🤯 #claudecode #ai
if you are an experienced developer, know what you are doing, the tasks that usually take Weeks. You will be able to do it in Hours 🤯🤯 #claudecode #ai
Q for developers. Do you love/hate mandatory security training? And why?
#security #training #developers
#security #training #developers
June 17, 2025 at 1:37 PM
Q for developers. Do you love/hate mandatory security training? And why?
#security #training #developers
#security #training #developers
🚨 The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions!
Deep dive analysis in this obfuscated campaign including (PowerShell & VBS scripts, PE malware, Malicious browser extensions even stegomalware)
Enjoy reading securitylabs.datadoghq.com/articles/mut...
Deep dive analysis in this obfuscated campaign including (PowerShell & VBS scripts, PE malware, Malicious browser extensions even stegomalware)
Enjoy reading securitylabs.datadoghq.com/articles/mut...
The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions | Datadog Security Labs
Analysis of a threat actor campaign targeting Solidity developers via three malicious VS Code extensions
securitylabs.datadoghq.com
May 21, 2025 at 12:10 PM
🚨 The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions!
Deep dive analysis in this obfuscated campaign including (PowerShell & VBS scripts, PE malware, Malicious browser extensions even stegomalware)
Enjoy reading securitylabs.datadoghq.com/articles/mut...
Deep dive analysis in this obfuscated campaign including (PowerShell & VBS scripts, PE malware, Malicious browser extensions even stegomalware)
Enjoy reading securitylabs.datadoghq.com/articles/mut...
Pretty interesting threat campaign have been discovered by our research team.
We will be disclosing it in couple of hours , stay tuned 😉
#threats #malicious #security_research #datadog
We will be disclosing it in couple of hours , stay tuned 😉
#threats #malicious #security_research #datadog
May 21, 2025 at 9:54 AM
Pretty interesting threat campaign have been discovered by our research team.
We will be disclosing it in couple of hours , stay tuned 😉
#threats #malicious #security_research #datadog
We will be disclosing it in couple of hours , stay tuned 😉
#threats #malicious #security_research #datadog
Recognizing employees for a job well done is just as important as giving constructive feedback when they underperform. Balance builds growth. #Leadership #Feedback
May 15, 2025 at 9:25 AM
Recognizing employees for a job well done is just as important as giving constructive feedback when they underperform. Balance builds growth. #Leadership #Feedback
I don't like threat actors attribution that much because in most cases it's wrong and so easily to be forged. We still should cluster campaigns but there is no "high confidence" attribution IMHO.
May 14, 2025 at 6:44 PM
I don't like threat actors attribution that much because in most cases it's wrong and so easily to be forged. We still should cluster campaigns but there is no "high confidence" attribution IMHO.
Reposted by Eslam Salem
I have been told there will be a special announcement at 10am CET (that's 4am EDT btw) regarding this.
I will release the info I have at that time also. Thank you for the support.
I will release the info I have at that time also. Thank you for the support.
BREAKING.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
April 16, 2025 at 1:54 AM
I have been told there will be a special announcement at 10am CET (that's 4am EDT btw) regarding this.
I will release the info I have at that time also. Thank you for the support.
I will release the info I have at that time also. Thank you for the support.
Any idea what will happen to the CVE program after MITRE
x.com/0xTib3rius/s...
x.com/0xTib3rius/s...
x.com
April 15, 2025 at 8:07 PM
Any idea what will happen to the CVE program after MITRE
x.com/0xTib3rius/s...
x.com/0xTib3rius/s...
Interesting to see secret leaks in git still one the biggest threats in SDLC.
github.blog/security/app...
github.blog/security/app...
GitHub found 39M secret leaks in 2024. Here's what we're doing to help
Every minute, GitHub blocks several secrets with push protection—but secret leaks still remain one of the most common causes of security incidents. Learn how GitHub is making it easier to protect your...
github.blog
April 1, 2025 at 4:15 PM
Interesting to see secret leaks in git still one the biggest threats in SDLC.
github.blog/security/app...
github.blog/security/app...
I think it's time for me to start digging into AI and LLMs. I'm not sure where to start, any advice?
March 31, 2025 at 8:42 PM
I think it's time for me to start digging into AI and LLMs. I'm not sure where to start, any advice?
Reposted by Eslam Salem
It's amazing how important one Phrack article from 27 years ago has been for web application security.
Covering what we now call SQL Injection and SSRF (amongst other things) problems we're still trying to handle today laid out in a couple of paragraphs
phrack.org/issues/54/8#...
Covering what we now call SQL Injection and SSRF (amongst other things) problems we're still trying to handle today laid out in a couple of paragraphs
phrack.org/issues/54/8#...
.:: Phrack Magazine ::.
Phrack staff website.
phrack.org
March 27, 2025 at 9:42 AM
It's amazing how important one Phrack article from 27 years ago has been for web application security.
Covering what we now call SQL Injection and SSRF (amongst other things) problems we're still trying to handle today laid out in a couple of paragraphs
phrack.org/issues/54/8#...
Covering what we now call SQL Injection and SSRF (amongst other things) problems we're still trying to handle today laid out in a couple of paragraphs
phrack.org/issues/54/8#...
This time we analyzed the Next.js middleware bypass vulnerability (CVE-2025-29927). Also included IP/UA trying to exploit this in the wild.
securitylabs.datadoghq.com/articles/nex...
securitylabs.datadoghq.com/articles/nex...
Understanding CVE-2025-29927: The Next.js Middleware Authorization Bypass Vulnerability | Datadog Security Labs
Learn how the Next.js middleware authorization bypass vulnerability works, and how to detect and remediate it.
securitylabs.datadoghq.com
March 28, 2025 at 2:41 PM
This time we analyzed the Next.js middleware bypass vulnerability (CVE-2025-29927). Also included IP/UA trying to exploit this in the wild.
securitylabs.datadoghq.com/articles/nex...
securitylabs.datadoghq.com/articles/nex...
Our analysis and takeaways for IngressNightmare - Several vulnerabilities in the Kubernetes Ingress NGINX Controller. Enjoy!
securitylabs.datadoghq.com/articles/ing...
securitylabs.datadoghq.com/articles/ing...
The
Learn how the Kubernetes Ingress NGINX Controller vulnerabilities work, how to detect and remediate them.
securitylabs.datadoghq.com
March 25, 2025 at 11:03 PM
Our analysis and takeaways for IngressNightmare - Several vulnerabilities in the Kubernetes Ingress NGINX Controller. Enjoy!
securitylabs.datadoghq.com/articles/ing...
securitylabs.datadoghq.com/articles/ing...
I love it when some people tells me that's is your limit, this is your ceiling. This is when I feel fire within me reignite!
December 16, 2024 at 8:58 AM
I love it when some people tells me that's is your limit, this is your ceiling. This is when I feel fire within me reignite!
Amazing presentation about supply chain security and the amazing work we do by our leaders @techy.detectionengineering.net
(Director of research) and Andrewkrug (Manager of advocacy) youtu.be/1b0RIi19qrw?...
(Director of research) and Andrewkrug (Manager of advocacy) youtu.be/1b0RIi19qrw?...
AWS re:Invent 2024 - Beyond just observing, protecting your whole software supply chain (SEC406)
YouTube video by AWS Events
youtu.be
December 9, 2024 at 6:14 PM
Amazing presentation about supply chain security and the amazing work we do by our leaders @techy.detectionengineering.net
(Director of research) and Andrewkrug (Manager of advocacy) youtu.be/1b0RIi19qrw?...
(Director of research) and Andrewkrug (Manager of advocacy) youtu.be/1b0RIi19qrw?...
Supply chain firewall in action
github.com/DataDog/supp...
github.com/DataDog/supp...
December 6, 2024 at 12:35 PM
Supply chain firewall in action
github.com/DataDog/supp...
github.com/DataDog/supp...
We are happy to introduce our latest tool "Supply Chain Firewall" 🎉 by @ikretz.bsky.social
The tool detects & prevents installation of malicious packages in local development environment.
Read more
securitylabs.datadoghq.com/articles/int...
And give it a try github.com/DataDog/supp...
The tool detects & prevents installation of malicious packages in local development environment.
Read more
securitylabs.datadoghq.com/articles/int...
And give it a try github.com/DataDog/supp...
Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages | Datadog Security Labs
Release of Supply-Chain Firewall, an open source tool for preventing the installation of malicious PyPI and npm packages
securitylabs.datadoghq.com
December 6, 2024 at 12:19 PM
We are happy to introduce our latest tool "Supply Chain Firewall" 🎉 by @ikretz.bsky.social
The tool detects & prevents installation of malicious packages in local development environment.
Read more
securitylabs.datadoghq.com/articles/int...
And give it a try github.com/DataDog/supp...
The tool detects & prevents installation of malicious packages in local development environment.
Read more
securitylabs.datadoghq.com/articles/int...
And give it a try github.com/DataDog/supp...
Reposted by Eslam Salem
Supply-chain attack in the ultralytics PyPI package: github.com/ultralytics/...
An attacker opened a pull request and pushed a commit with a malicious name, leading to CI code injection.
They then backdoored versions 8.3.41 and 8.3.42 with code downloading a second-stage binary from GitHub
An attacker opened a pull request and pushed a commit with a malicious name, leading to CI code injection.
They then backdoored versions 8.3.41 and 8.3.42 with code downloading a second-stage binary from GitHub
December 5, 2024 at 5:12 PM
Supply-chain attack in the ultralytics PyPI package: github.com/ultralytics/...
An attacker opened a pull request and pushed a commit with a malicious name, leading to CI code injection.
They then backdoored versions 8.3.41 and 8.3.42 with code downloading a second-stage binary from GitHub
An attacker opened a pull request and pushed a commit with a malicious name, leading to CI code injection.
They then backdoored versions 8.3.41 and 8.3.42 with code downloading a second-stage binary from GitHub
Reposted by Eslam Salem
Common reasoning is that SMS 2FA is bad due to the risk of SIM swapping. It’s also bad if the telecommunications networks are hostile 😬
www.forbes.com/sites/zakdof...
www.forbes.com/sites/zakdof...
FBI Warns iPhone And Android Users—Stop Sending Texts
US officials urge citizens to use encrypted messaging and calls wherever they can—here’s what you need to know.
www.forbes.com
December 5, 2024 at 2:43 PM
Common reasoning is that SMS 2FA is bad due to the risk of SIM swapping. It’s also bad if the telecommunications networks are hostile 😬
www.forbes.com/sites/zakdof...
www.forbes.com/sites/zakdof...
Awesome, Stratus Red Team v2.20.0 is now available 🎉
Stratus Red Team v2.20.0 is now available, with great contributions from @flekyy90.bsky.social allowing you to reproduce AWS TTPs seen in the wild!
➔ Use GetFederationToken to generate temporary credentials
➔ Use SendSerialConsoleSSHPublicKey to pivot to EC2 instances
github.com/DataDog/stra...
➔ Use GetFederationToken to generate temporary credentials
➔ Use SendSerialConsoleSSHPublicKey to pivot to EC2 instances
github.com/DataDog/stra...
December 4, 2024 at 5:52 PM
Awesome, Stratus Red Team v2.20.0 is now available 🎉
My Blackhat MEA arsenal presentation: "Detect Malicious Packages with Guarddog"
drive.google.com/file/d/11SAN...
drive.google.com/file/d/11SAN...
December 3, 2024 at 1:48 PM
My Blackhat MEA arsenal presentation: "Detect Malicious Packages with Guarddog"
drive.google.com/file/d/11SAN...
drive.google.com/file/d/11SAN...
Looks good, I will give it a try this weekend
For a lot of my research work, kind clusters work perfectly but sometimes having a full disposable VM with tools is needed. Just been playing with github.com/iximiuz/labctl from @iximiuz.bsky.social and it looks like a great option for those times (also you can get full k8s clusters and things too)
GitHub - iximiuz/labctl: iximiuz Labs control - start remote microVM playgrounds from the command line.
iximiuz Labs control - start remote microVM playgrounds from the command line. - iximiuz/labctl
github.com
November 28, 2024 at 3:46 PM
Looks good, I will give it a try this weekend