Datadog Security Labs
@securitylabs.datadoghq.com
Read our Security Labs blog: https://securitylabs.datadoghq.com
Subscribe to our monthly newsletter: https://securitylabs.datadoghq.com/newsletters/
Subscribe to our monthly newsletter: https://securitylabs.datadoghq.com/newsletters/
MUT-4831: Trojanized npm packages deliver Vidar infostealer malware
securitylabs.datadoghq.com/articles/mut...
securitylabs.datadoghq.com/articles/mut...
MUT-4831: Trojanized npm packages deliver Vidar infostealer malware | Datadog Security Labs
Analysis of a threat actor campaign targeting Windows users with Vidar infostealer malware via malicious npm packages
securitylabs.datadoghq.com
November 6, 2025 at 10:57 AM
MUT-4831: Trojanized npm packages deliver Vidar infostealer malware
securitylabs.datadoghq.com/articles/mut...
securitylabs.datadoghq.com/articles/mut...
A runtime security approach to detecting supply chain attacks
securitylabs.datadoghq.com/articles/sup...
by Lorenzo Susini, Detection Engineer
securitylabs.datadoghq.com/articles/sup...
by Lorenzo Susini, Detection Engineer
A runtime security approach to detecting supply chain attacks | Datadog Security Labs
Detecting software supply chain attacks through runtime security.
securitylabs.datadoghq.com
November 5, 2025 at 2:59 PM
A runtime security approach to detecting supply chain attacks
securitylabs.datadoghq.com/articles/sup...
by Lorenzo Susini, Detection Engineer
securitylabs.datadoghq.com/articles/sup...
by Lorenzo Susini, Detection Engineer
The October edition of the Datadog Security Digest is out!
securitylabs.datadoghq.com/newsletters/...
securitylabs.datadoghq.com/newsletters/...
The State of Cloud Security, MCP Risks, and Azure vulnerabilities | Datadog Security Labs
This edition covers The State of Cloud Security, MCP Risks, and Azure vulnerabilities
securitylabs.datadoghq.com
October 30, 2025 at 12:44 PM
The October edition of the Datadog Security Digest is out!
securitylabs.datadoghq.com/newsletters/...
securitylabs.datadoghq.com/newsletters/...
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing
securitylabs.datadoghq.com/articles/cop...
by @siigil.bsky.social
securitylabs.datadoghq.com/articles/cop...
by @siigil.bsky.social
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing | Datadog Security Labs
Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by which a Copilot Studio agent's login settings can redirect a user...
securitylabs.datadoghq.com
October 28, 2025 at 1:12 PM
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing
securitylabs.datadoghq.com/articles/cop...
by @siigil.bsky.social
securitylabs.datadoghq.com/articles/cop...
by @siigil.bsky.social
Our State of Cloud Security 2025 study is out!
www.datadoghq.com/state-of-clo...
• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access
www.datadoghq.com/state-of-clo...
• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access
State of Cloud Security | Datadog
For our 2025 report, we analyzed AWS, Google Cloud, and Azure data from thousands of organizations to understand the latest trends in cloud security posture.
www.datadoghq.com
October 8, 2025 at 9:10 PM
Our State of Cloud Security 2025 study is out!
www.datadoghq.com/state-of-clo...
• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access
www.datadoghq.com/state-of-clo...
• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access
The September edition of the Datadog Security Digest is out: securitylabs.datadoghq.com/newsletters/...
npm supply chain attacks, Amazon Bedrock security, and MCP vulnerabilities | Datadog Security Labs
This edition covers three major supply chain attacks targeting npm, two MCP security vulnerabilities, and multiple posts related to the Amazon Bedrock service.
securitylabs.datadoghq.com
October 2, 2025 at 9:06 AM
The September edition of the Datadog Security Digest is out: securitylabs.datadoghq.com/newsletters/...
In case you missed it, the August edition of the Datadog Security Digest went out last week!
securitylabs.datadoghq.com/newsletters/...
securitylabs.datadoghq.com/newsletters/...
Q2 threat report, prompt injection, and fwd:cloudsec Europe | Datadog Security Labs
This edition covers Datadog's Q2 threat report, new cloud security research, AI security vulnerabilities, application security findings, and upcoming community events
securitylabs.datadoghq.com
September 5, 2025 at 7:31 AM
In case you missed it, the August edition of the Datadog Security Digest went out last week!
securitylabs.datadoghq.com/newsletters/...
securitylabs.datadoghq.com/newsletters/...
CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions (patched)
securitylabs.datadoghq.com/articles/cla...
Zander Mackie
securitylabs.datadoghq.com/articles/cla...
Zander Mackie
CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions | Datadog Security Labs
A critical vulnerability in older versions of the Claude Code for Visual Studio Code (VS Code) and other IDE extensions allowed malicious websites to connect to unauthenticated local WebSocket servers...
securitylabs.datadoghq.com
August 26, 2025 at 1:23 PM
CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions (patched)
securitylabs.datadoghq.com/articles/cla...
Zander Mackie
securitylabs.datadoghq.com/articles/cla...
Zander Mackie
MCP vulnerability case study: SQL injection in the Postgres MCP server. Comes with a full reproducible proof-of-concept
securitylabs.datadoghq.com/articles/mcp...
by Santiago Mola
securitylabs.datadoghq.com/articles/mcp...
by Santiago Mola
MCP vulnerability case study: SQL injection in the Postgres MCP server | Datadog Security Labs
Learn how vulnerability in Anthropic's reference Postgres MCP server allowed us to bypass teh read-only restriction and execute arbitrary SQL statements.
securitylabs.datadoghq.com
August 21, 2025 at 12:42 PM
MCP vulnerability case study: SQL injection in the Postgres MCP server. Comes with a full reproducible proof-of-concept
securitylabs.datadoghq.com/articles/mcp...
by Santiago Mola
securitylabs.datadoghq.com/articles/mcp...
by Santiago Mola
Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer
by @frichetten.com
securitylabs.datadoghq.com/articles/enu...
by @frichetten.com
securitylabs.datadoghq.com/articles/enu...
Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer | Datadog Security Labs
Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap.
securitylabs.datadoghq.com
August 20, 2025 at 7:33 AM
Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer
by @frichetten.com
securitylabs.datadoghq.com/articles/enu...
by @frichetten.com
securitylabs.datadoghq.com/articles/enu...
The July edition of the Datadog Security Digest is out!
securitylabs.datadoghq.com/newsletters/...
• Cloud image investigator by @sethsec.bsky.social
• Our top picks for Black Hat / DEF CON
• A benchmark for LLM coding accuracy and security
• Malicious Homebrew installation campaign
.. and more
securitylabs.datadoghq.com/newsletters/...
• Cloud image investigator by @sethsec.bsky.social
• Our top picks for Black Hat / DEF CON
• A benchmark for LLM coding accuracy and security
• Malicious Homebrew installation campaign
.. and more
Preparing for Hacker Summer Camp and a new cloud image investigator | Datadog Security Labs
This month’s digest covers Hacker Summer Camp prep, a new cloud image investigator, and supply-chain vulnerabilities associated with the Open VSX Registry.
securitylabs.datadoghq.com
July 31, 2025 at 9:00 PM
The July edition of the Datadog Security Digest is out!
securitylabs.datadoghq.com/newsletters/...
• Cloud image investigator by @sethsec.bsky.social
• Our top picks for Black Hat / DEF CON
• A benchmark for LLM coding accuracy and security
• Malicious Homebrew installation campaign
.. and more
securitylabs.datadoghq.com/newsletters/...
• Cloud image investigator by @sethsec.bsky.social
• Our top picks for Black Hat / DEF CON
• A benchmark for LLM coding accuracy and security
• Malicious Homebrew installation campaign
.. and more
Datadog guide to Hacker Summer Camp 2025, amd the top 50 talks we're excited about
securitylabs.datadoghq.com/articles/hac...
securitylabs.datadoghq.com/articles/hac...
Datadog guide to Hacker Summer Camp 2025 | Datadog Security Labs
Get ready to take on Hacker Summer Camp with our guide on planning, prepping, and schedules for Datadog events.
securitylabs.datadoghq.com
July 29, 2025 at 8:14 PM
Datadog guide to Hacker Summer Camp 2025, amd the top 50 talks we're excited about
securitylabs.datadoghq.com/articles/hac...
securitylabs.datadoghq.com/articles/hac...
Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker
securitylabs.datadoghq.com/articles/bey...
securitylabs.datadoghq.com/articles/bey...
Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker | Datadog Security Labs
This post reports on activity from the 'Mimo' threat actor.
securitylabs.datadoghq.com
July 21, 2025 at 8:57 PM
Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker
securitylabs.datadoghq.com/articles/bey...
securitylabs.datadoghq.com/articles/bey...
I SPy: Escalating to Entra ID's Global Admin with a first-party app
securitylabs.datadoghq.com/articles/i-s...
by @siigil.bsky.social
securitylabs.datadoghq.com/articles/i-s...
by @siigil.bsky.social
I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs
Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...
securitylabs.datadoghq.com
July 16, 2025 at 12:21 PM
I SPy: Escalating to Entra ID's Global Admin with a first-party app
securitylabs.datadoghq.com/articles/i-s...
by @siigil.bsky.social
securitylabs.datadoghq.com/articles/i-s...
by @siigil.bsky.social
Kubernetes security fundamentals, part 7: Public Key Infrastructure (PKI)
securitylabs.datadoghq.com/articles/kub...
by @mccune.org.uk
securitylabs.datadoghq.com/articles/kub...
by @mccune.org.uk
Kubernetes security fundamentals: PKI | Datadog Security Labs
A look at how PKI configuration in Kubernetes clusters works
securitylabs.datadoghq.com
July 15, 2025 at 7:49 AM
Kubernetes security fundamentals, part 7: Public Key Infrastructure (PKI)
securitylabs.datadoghq.com/articles/kub...
by @mccune.org.uk
securitylabs.datadoghq.com/articles/kub...
by @mccune.org.uk
CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems
securitylabs.datadoghq.com/articles/git...
securitylabs.datadoghq.com/articles/git...
CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems | Datadog Security Labs
Learn more about the emerging vulnerability affecting Git.
securitylabs.datadoghq.com
July 11, 2025 at 8:02 AM
CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems
securitylabs.datadoghq.com/articles/git...
securitylabs.datadoghq.com/articles/git...
Reposted by Datadog Security Labs
Stratus Red Team AWS attack techniques are now mapped to the Threat Technique Catalog for AWS
Stratus Red Team AWS attack techniques: stratus-red-team.cloud/attack-techn...
Threat Technique Catalog by AWS: aws-samples.github.io/threat-techn...
Stratus Red Team AWS attack techniques: stratus-red-team.cloud/attack-techn...
Threat Technique Catalog by AWS: aws-samples.github.io/threat-techn...
June 23, 2025 at 12:04 PM
Stratus Red Team AWS attack techniques are now mapped to the Threat Technique Catalog for AWS
Stratus Red Team AWS attack techniques: stratus-red-team.cloud/attack-techn...
Threat Technique Catalog by AWS: aws-samples.github.io/threat-techn...
Stratus Red Team AWS attack techniques: stratus-red-team.cloud/attack-techn...
Threat Technique Catalog by AWS: aws-samples.github.io/threat-techn...
fwd:cloudsec is around the corner! Don't miss these 3 talks from Datadog researchers Seth Sec, Katie Knowles, Greg Foss, and Anthony Randazzo.
fwdcloudsec.org/conference/n...
@sethsec.bsky.social
@siigil.bsky.social
@gregfoss.com
fwdcloudsec.org/conference/n...
@sethsec.bsky.social
@siigil.bsky.social
@gregfoss.com
June 27, 2025 at 9:02 PM
fwd:cloudsec is around the corner! Don't miss these 3 talks from Datadog researchers Seth Sec, Katie Knowles, Greg Foss, and Anthony Randazzo.
fwdcloudsec.org/conference/n...
@sethsec.bsky.social
@siigil.bsky.social
@gregfoss.com
fwdcloudsec.org/conference/n...
@sethsec.bsky.social
@siigil.bsky.social
@gregfoss.com
The obfuscation game: Threat actor targets Solidity developers via malicious VS Code extensions
securitylabs.datadoghq.com/articles/mut...
(published May 21, 2025)
securitylabs.datadoghq.com/articles/mut...
(published May 21, 2025)
The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions | Datadog Security Labs
Analysis of a threat actor campaign targeting Solidity developers via three malicious VS Code extensions
securitylabs.datadoghq.com
June 2, 2025 at 3:28 PM
The obfuscation game: Threat actor targets Solidity developers via malicious VS Code extensions
securitylabs.datadoghq.com/articles/mut...
(published May 21, 2025)
securitylabs.datadoghq.com/articles/mut...
(published May 21, 2025)
"Tales from the cloud trenches: The Attacker doth persist too much, methinks"
securitylabs.datadoghq.com/articles/tal...
New tactics observed include:
• Persistence-as-a-service with an external facing API Gateway
• Persistence through AWS SSO
• ConsoleLogin events from Telegram IP addresses
securitylabs.datadoghq.com/articles/tal...
New tactics observed include:
• Persistence-as-a-service with an external facing API Gateway
• Persistence through AWS SSO
• ConsoleLogin events from Telegram IP addresses
Tales from the cloud trenches: The Attacker doth persist too much, methinks | Datadog Security Labs
A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM
securitylabs.datadoghq.com
May 15, 2025 at 2:15 PM
"Tales from the cloud trenches: The Attacker doth persist too much, methinks"
securitylabs.datadoghq.com/articles/tal...
New tactics observed include:
• Persistence-as-a-service with an external facing API Gateway
• Persistence through AWS SSO
• ConsoleLogin events from Telegram IP addresses
securitylabs.datadoghq.com/articles/tal...
New tactics observed include:
• Persistence-as-a-service with an external facing API Gateway
• Persistence through AWS SSO
• ConsoleLogin events from Telegram IP addresses
RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale
securitylabs.datadoghq.com/articles/red...
securitylabs.datadoghq.com/articles/red...
RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale | Datadog Security Labs
Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency.
securitylabs.datadoghq.com
May 8, 2025 at 10:41 AM
RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale
securitylabs.datadoghq.com/articles/red...
securitylabs.datadoghq.com/articles/red...
Reposted by Datadog Security Labs
My colleague, Sebastian Obregoso, and I had the privilege of writing a guest post for OpenSSF's blog on how we detect malicious open source packages at @securitylabs.datadoghq.com using GuardDog.
Check it out here: openssf.org/blog/2025/03...
Check it out here: openssf.org/blog/2025/03...
GuardDog: Strengthening Open Source Security Against Supply Chain Attacks – Open Source Security Foundation
openssf.org
April 1, 2025 at 10:14 AM
My colleague, Sebastian Obregoso, and I had the privilege of writing a guest post for OpenSSF's blog on how we detect malicious open source packages at @securitylabs.datadoghq.com using GuardDog.
Check it out here: openssf.org/blog/2025/03...
Check it out here: openssf.org/blog/2025/03...
The March edition of the Datadog Security Digest is out!
securitylabs.datadoghq.com/newsletters/...
• New MITRE ATT&CK coverage matrix in Stratus Red Team
• Compromised GitHub actions
• Malicious Maven packages
• Exploitation of SSRF vulnerabilities on the rise
• ... and more
securitylabs.datadoghq.com/newsletters/...
• New MITRE ATT&CK coverage matrix in Stratus Red Team
• Compromised GitHub actions
• Malicious Maven packages
• Exploitation of SSRF vulnerabilities on the rise
• ... and more
Malicious Maven packages, SSRFs strike again, and stealing cloud credentials from web applications | Datadog Security Labs
This month’s digest has a little bit of everything—cloud threats, supply chain attacks, and a reminder that yes, attackers are still exploiting SSRFs.
securitylabs.datadoghq.com
March 27, 2025 at 10:21 PM
The March edition of the Datadog Security Digest is out!
securitylabs.datadoghq.com/newsletters/...
• New MITRE ATT&CK coverage matrix in Stratus Red Team
• Compromised GitHub actions
• Malicious Maven packages
• Exploitation of SSRF vulnerabilities on the rise
• ... and more
securitylabs.datadoghq.com/newsletters/...
• New MITRE ATT&CK coverage matrix in Stratus Red Team
• Compromised GitHub actions
• Malicious Maven packages
• Exploitation of SSRF vulnerabilities on the rise
• ... and more