Datadog Security Labs

Preparing for Hacker Summer Camp and a new cloud image investigator | Datadog Security Labs This month’s digest covers Hacker Summer Camp prep, a new cloud image investigator, and supply-chain vulnerabilities associated with the Open VSX Registry.

The July edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

• Cloud image investigator by @sethsec.bsky.social
• Our top picks for Black Hat / DEF CON
• A benchmark for LLM coding accuracy and security
• Malicious Homebrew installation campaign
.. and more

Datadog guide to Hacker Summer Camp 2025 | Datadog Security Labs Get ready to take on Hacker Summer Camp with our guide on planning, prepping, and schedules for Datadog events.

Datadog guide to Hacker Summer Camp 2025, amd the top 50 talks we're excited about

securitylabs.datadoghq.com/articles/hac...

Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker | Datadog Security Labs This post reports on activity from the 'Mimo' threat actor.

Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker

securitylabs.datadoghq.com/articles/bey...

I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...

I SPy: Escalating to Entra ID's Global Admin with a first-party app

securitylabs.datadoghq.com/articles/i-s...

by @siigil.bsky.social

Kubernetes security fundamentals: PKI | Datadog Security Labs A look at how PKI configuration in Kubernetes clusters works

Kubernetes security fundamentals, part 7: Public Key Infrastructure (PKI)

securitylabs.datadoghq.com/articles/kub...

by @mccune.org.uk

CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems | Datadog Security Labs Learn more about the emerging vulnerability affecting Git.

CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems

securitylabs.datadoghq.com/articles/git...

Stratus Red Team AWS attack techniques are now mapped to the Threat Technique Catalog for AWS

Stratus Red Team AWS attack techniques: stratus-red-team.cloud/attack-techn...

Threat Technique Catalog by AWS: aws-samples.github.io/threat-techn...

fwd:cloudsec is around the corner! Don't miss these 3 talks from Datadog researchers Seth Sec, Katie Knowles, Greg Foss, and Anthony Randazzo.

fwdcloudsec.org/conference/n...

@sethsec.bsky.social
@siigil.bsky.social
@gregfoss.com

The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions | Datadog Security Labs Analysis of a threat actor campaign targeting Solidity developers via three malicious VS Code extensions

The obfuscation game: Threat actor targets Solidity developers via malicious VS Code extensions

securitylabs.datadoghq.com/articles/mut...

(published May 21, 2025)

Tales from the cloud trenches: The Attacker doth persist too much, methinks | Datadog Security Labs A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM

"Tales from the cloud trenches: The Attacker doth persist too much, methinks"

securitylabs.datadoghq.com/articles/tal...

New tactics observed include:
• Persistence-as-a-service with an external facing API Gateway
• Persistence through AWS SSO
• ConsoleLogin events from Telegram IP addresses

RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale | Datadog Security Labs Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency.

RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale

securitylabs.datadoghq.com/articles/red...

My colleague, Sebastian Obregoso, and I had the privilege of writing a guest post for OpenSSF's blog on how we detect malicious open source packages at @securitylabs.datadoghq.com using GuardDog.

Check it out here: openssf.org/blog/2025/03...

Malicious Maven packages, SSRFs strike again, and stealing cloud credentials from web applications | Datadog Security Labs This month’s digest has a little bit of everything—cloud threats, supply chain attacks, and a reminder that yes, attackers are still exploiting SSRFs.

The March edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

• New MITRE ATT&CK coverage matrix in Stratus Red Team
• Compromised GitHub actions
• Malicious Maven packages
• Exploitation of SSRF vulnerabilities on the rise
• ... and more

Interested in malicious software packages? Our open-source dataset just hit over 5,000 samples of malicious npm and PyPI packages!

github.com/DataDog/mali...

The whoAMI name confusion attack, modern phishing tactics, and K8s network security fundamentals | Datadog Security Labs This February edition of the Datadog Security Digest dives into the

The February edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

featuring @sethsec.bsky.social, @mccune.org.uk, @karimscloud.bsky.social, @jcfarris.bsky.social, and more

Last May we shared our research on using AWS non-production endpoints for a variety of attack scenarios against AWS environments. These endpoints are easy to find and provide options for an adversary to evade detection. More recently, we have partnered with AWS to find 1/x

The Datadog Security Digest is a monthly, practitioner-focused newsletter.

Don't miss our February edition going live tomorrow!

securitylabs.datadoghq.com/newsletters/...

whoAMI attacks give hackers code execution on Amazon EC2 instances Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.

Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.

We're also releasing a new open-source tool, whoAMI-scanner, to scan for malicious AMIs in your environment!

github.com/DataDog/whoA...

whoAMI: A cloud image name confusion attack | Datadog Security Labs Detailing the discovery and impact of the whoAMI cloud image name confusion attack, which could allow attackers to execute code within AWS accounts due to a vulnerable pattern in AMI retrieval.

We discovered a pattern in the way many projects retrieve Amazon Machine Images (AMIs), allowing attackers to publish AMIs with specially crafted names and gain code execution within vulnerable accounts.

securitylabs.datadoghq.com/articles/who...

by @sethsec.bsky.social

Kubernetes security fundamentals: Networking | Datadog Security Labs A look at how network security works in Kubernetes

Kubernetes security fundamentals: Networking by @mccune.org.uk

securitylabs.datadoghq.com/articles/kub...

Datadog threat roundup: top insights for Q4 2024 | Datadog Security Labs Threat insights from Datadog Security Labs for Q4 2024.

Threat insights from Datadog Security Labs for Q4 2024

securitylabs.datadoghq.com/articles/202...

Threat Actor Publishing Fake GitHub PoCs, Effective Remote Work Habits, and a Methodology for Migrating Off IMDSv1 | Datadog Security Labs In our first 2025 edition, read about a threat actor Datadog uncovered, tips for better remote work, and how to stay away from IMDSv1 in AWS.

The January edition of the Datadog Security Digest newsletter is out!

securitylabs.datadoghq.com/newsletters/...

Escalating privileges to read secrets with Azure Key Vault access policies | Datadog Security Labs Azure Key Vault Contributors are not allowed access to Key Vault keys, certificates, and secrets. But did you know they can still gain access to this sensitive data? This post will cover a privilege e...

"Escalating privileges to read secrets with Azure Key Vault access policies" by @siigil.bsky.social

securitylabs.datadoghq.com/articles/esc...

Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials | Datadog Security Labs This post describes an in-depth investigation by Datadog security researchers into a threat actor dubbed MUT-1244, which targets other malicious actors as well as security practitioners and academics.

In-depth investigation by Datadog security researchers into a threat actor dubbed MUT-1244, which targets other malicious actors as well as security practitioners and academics.

securitylabs.datadoghq.com/articles/mut...

"Tales from the cloud trenches: Unwanted visitor"

securitylabs.datadoghq.com/articles/tal...

This post describes an attacker that we've observed in the wild, including a malicious AWS account ID used to create a backdoor IAM role.

YouTube video by AWS Events AWS re:Invent 2024 - Beyond just observing, protecting your whole software supply chain (SEC406)

Watch Andrew Krug and Zack Allen's (@techy.detectionengineering.net) talk at re:Invent 2024 on software supply-chain security, featuring our open-source projects Guarddog and SCFW, along with insights on real-world malicious packages

www.youtube.com/watch?v=1b0R...

Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages | Datadog Security Labs Release of Supply-Chain Firewall, an open source tool for preventing the installation of malicious PyPI and npm packages

Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages

securitylabs.datadoghq.com/articles/int... by @ikretz.bsky.social

New open-source tool designed to transparently block known malicious PyPI and npm packages.

github.com/DataDog/supp...

Stratus Red Team v2.20.0 is now available, with great contributions from @flekyy90.bsky.social allowing you to reproduce AWS TTPs seen in the wild!

➔ Use GetFederationToken to generate temporary credentials

➔ Use SendSerialConsoleSSHPublicKey to pivot to EC2 instances

github.com/DataDog/stra...