Datadog Security Labs's Avatar

Datadog Security Labs

@securitylabs.datadoghq.com

Read our Security Labs blog: https://securitylabs.datadoghq.com Subscribe to our monthly newsletter: https://securitylabs.datadoghq.com/newsletters/

600
Followers 36
Following 51
Posts 27.11.2024
Joined
Posts Following

Latest posts by Datadog Security Labs @securitylabs.datadoghq.com

Preview
Hook, line, and vault: A technical deep dive into the 1Phish kit | Datadog Security Labs We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users.

Hook, line, and vault: A technical deep dive into the 1Phish kit targeting 1Password users

securitylabs.datadoghq.com/articles/hoo...

27.02.2026 11:20 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

Tech impersonators: ClickFix and MacOS infostealers

securitylabs.datadoghq.com/articles/tec...

11.02.2026 09:06 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Tech impersonators: ClickFix and MacOS infostealers | Datadog Security Labs Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers.

Tech impersonators: ClickFix and MacOS infostealers

securitylabs.datadoghq.com/articles/tec...

10.02.2026 14:23 πŸ‘ 2 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
Introducing IDE-SHEPHERD: Your shield against threat actors lurking in your IDE | Datadog Security Labs IDE-SHEPHERD is an open-source IDE security extension that provides real-time monitoring and protection for VS Code and Cursor. It intercepts malicious process executions, monitors network activity, a...

IDE-SHEPHERD is a new open source project to identify malicious VSCode and Cursor extensions at runtime

Announcement: securitylabs.datadoghq.com/articles/ide...
GitHub: github.com/DataDog/IDE-...

26.01.2026 16:56 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 1
Preview
Decoding the GitHub recommendations for npm maintainers | Datadog Security Labs This blog post explores the rationale and implementation behind GitHub's security recommendations for npm maintainers following numerous high-profile supply-chain incidents. It details how hardening p...

Decoding the GitHub recommendations for npm maintainers

securitylabs.datadoghq.com/articles/dec...

by @phrawzty.com

09.01.2026 14:52 πŸ‘ 0 πŸ” 3 πŸ’¬ 0 πŸ“Œ 1
Post image Post image

Introducing Pathfinding.cloud, a library of privilege escalation paths in AWS

securitylabs.datadoghq.com/articles/int...

by @sethsec.bsky.social

17.12.2025 22:29 πŸ‘ 6 πŸ” 3 πŸ’¬ 0 πŸ“Œ 0
Post image

Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users

securitylabs.datadoghq.com/articles/inv...

10.12.2025 13:04 πŸ‘ 2 πŸ” 2 πŸ’¬ 0 πŸ“Œ 1

Update: A PoC was made available on GitHub by a security engineer. Our post was updated to reflect this new information, along with an illustration of how the exploit works.

04.12.2025 23:23 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 1
Post image Post image

CVE-2025-55182 (React2Shell): Remote code execution in React Server Components and Next.js

securitylabs.datadoghq.com/articles/cve...

04.12.2025 21:47 πŸ‘ 6 πŸ” 4 πŸ’¬ 1 πŸ“Œ 0
Preview
2025 threat reports, Kubernetes version adoption, and how attackers use AI | Datadog Security Labs This edition covers 2025 threat reports, Kubernetes version adoption, and how attackers use AI

The November Datadog Security Digest is out!

β€’ A 2025 look at real-world Kubernetes version adoption by @mccune.org.uk
β€’ Datadog threat roundup: Top insights for Q3 2025
β€’ Analyzing network traffic from coding agents

... and more!

securitylabs.datadoghq.com/newsletters/...

26.11.2025 16:19 πŸ‘ 4 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Post image

A few days ago, a new piece of malware started spreading in npm, compromising and backdooring hundreds of legitimate npm packages and GitHub users. Read the analysis from our security research team:

securitylabs.datadoghq.com/articles/sha...

26.11.2025 08:57 πŸ‘ 6 πŸ” 5 πŸ’¬ 0 πŸ“Œ 1
Preview
MUT-4831: Trojanized npm packages deliver Vidar infostealer malware | Datadog Security Labs Analysis of a threat actor campaign targeting Windows users with Vidar infostealer malware via malicious npm packages

MUT-4831: Trojanized npm packages deliver Vidar infostealer malware

securitylabs.datadoghq.com/articles/mut...

06.11.2025 10:57 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

In this post, Lorenzo Susini demonstrates that runtime security can be valuable to identify software supply chain attacks. As an example, this is the process tree of a malicious npm package harvesting credentials

05.11.2025 14:59 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
A runtime security approach to detecting supply chain attacks | Datadog Security Labs Detecting software supply chain attacks through runtime security.

A runtime security approach to detecting supply chain attacks

securitylabs.datadoghq.com/articles/sup...

by Lorenzo Susini, Detection Engineer

05.11.2025 14:59 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Datadog threat roundup: Top insights for Q3 2025 | Datadog Security Labs Threat insights from Datadog Security Labs for Q3 2025.

Datadog threat roundup: Top insights for Q3 2025

securitylabs.datadoghq.com/articles/202...

03.11.2025 15:42 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Learnings from recent npm supply chain compromises | Datadog Security Labs A look at recent npm supply chain compromises and how we can learn from them to better prepare for future incidents.

Learnings from recent npm supply chain compromises

securitylabs.datadoghq.com/articles/lea...

30.10.2025 19:44 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
The State of Cloud Security, MCP Risks, and Azure vulnerabilities | Datadog Security Labs This edition covers The State of Cloud Security, MCP Risks, and Azure vulnerabilities

The October edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

30.10.2025 12:44 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 1
Preview
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing | Datadog Security Labs Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by which a Copilot Studio agent's login settings can redirect a user...

CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing

securitylabs.datadoghq.com/articles/cop...

by @siigil.bsky.social

28.10.2025 13:12 πŸ‘ 3 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
State of Cloud Security | Datadog For our 2025 report, we analyzed AWS, Google Cloud, and Azure data from thousands of organizations to understand the latest trends in cloud security posture.

Our State of Cloud Security 2025 study is out!

www.datadoghq.com/state-of-clo...

β€’ On AWS, 40% of organizations leverage data perimeters
β€’ 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
β€’ On Azure, 1.3% of storage containers are public, 58% proactively block public access

08.10.2025 21:10 πŸ‘ 8 πŸ” 4 πŸ’¬ 1 πŸ“Œ 1
Preview
npm supply chain attacks, Amazon Bedrock security, and MCP vulnerabilities | Datadog Security Labs This edition covers three major supply chain attacks targeting npm, two MCP security vulnerabilities, and multiple posts related to the Amazon Bedrock service.

The September edition of the Datadog Security Digest is out: securitylabs.datadoghq.com/newsletters/...

02.10.2025 09:06 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Q2 threat report, prompt injection, and fwd:cloudsec Europe | Datadog Security Labs This edition covers Datadog's Q2 threat report, new cloud security research, AI security vulnerabilities, application security findings, and upcoming community events

In case you missed it, the August edition of the Datadog Security Digest went out last week!

securitylabs.datadoghq.com/newsletters/...

05.09.2025 07:31 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions | Datadog Security Labs A critical vulnerability in older versions of the Claude Code for Visual Studio Code (VS Code) and other IDE extensions allowed malicious websites to connect to unauthenticated local WebSocket servers...

CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions (patched)

securitylabs.datadoghq.com/articles/cla...

Zander Mackie

26.08.2025 13:23 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
MCP vulnerability case study: SQL injection in the Postgres MCP server | Datadog Security Labs Learn how vulnerability in Anthropic's reference Postgres MCP server allowed us to bypass teh read-only restriction and execute arbitrary SQL statements.

MCP vulnerability case study: SQL injection in the Postgres MCP server. Comes with a full reproducible proof-of-concept

securitylabs.datadoghq.com/articles/mcp...

by Santiago Mola

21.08.2025 12:42 πŸ‘ 1 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer | Datadog Security Labs Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap.

Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer

by @frichetten.com

securitylabs.datadoghq.com/articles/enu...

20.08.2025 07:33 πŸ‘ 5 πŸ” 4 πŸ’¬ 0 πŸ“Œ 0
Preview
Preparing for Hacker Summer Camp and a new cloud image investigator | Datadog Security Labs This month’s digest covers Hacker Summer Camp prep, a new cloud image investigator, and supply-chain vulnerabilities associated with the Open VSX Registry.

The July edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

β€’ Cloud image investigator by @sethsec.bsky.social
β€’ Our top picks for Black Hat / DEF CON
β€’ A benchmark for LLM coding accuracy and security
β€’ Malicious Homebrew installation campaign
.. and more

31.07.2025 21:00 πŸ‘ 6 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
Datadog guide to Hacker Summer Camp 2025 | Datadog Security Labs Get ready to take on Hacker Summer Camp with our guide on planning, prepping, and schedules for Datadog events.

Datadog guide to Hacker Summer Camp 2025, amd the top 50 talks we're excited about

securitylabs.datadoghq.com/articles/hac...

29.07.2025 20:14 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 1
Preview
Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker | Datadog Security Labs This post reports on activity from the 'Mimo' threat actor.

Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker

securitylabs.datadoghq.com/articles/bey...

21.07.2025 20:57 πŸ‘ 2 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...

I SPy: Escalating to Entra ID's Global Admin with a first-party app

securitylabs.datadoghq.com/articles/i-s...

by @siigil.bsky.social

16.07.2025 12:21 πŸ‘ 2 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
Kubernetes security fundamentals: PKI | Datadog Security Labs A look at how PKI configuration in Kubernetes clusters works

Kubernetes security fundamentals, part 7: Public Key Infrastructure (PKI)

securitylabs.datadoghq.com/articles/kub...

by @mccune.org.uk

15.07.2025 07:49 πŸ‘ 6 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems | Datadog Security Labs Learn more about the emerging vulnerability affecting Git.

CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems

securitylabs.datadoghq.com/articles/git...

11.07.2025 08:02 πŸ‘ 37 πŸ” 24 πŸ’¬ 3 πŸ“Œ 0