banner
securitylabs.datadoghq.com
Datadog Security Labs
@securitylabs.datadoghq.com
560 followers 36 following 33 posts
Read our Security Labs blog: https://securitylabs.datadoghq.com Subscribe to our monthly newsletter: https://securitylabs.datadoghq.com/newsletters/
securitylabs.datadoghq.com
Posts Media Videos Starter Packs
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · 17h
Our State of Cloud Security 2025 study is out!

www.datadoghq.com/state-of-clo...

• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access
State of Cloud Security | Datadog
For our 2025 report, we analyzed AWS, Google Cloud, and Azure data from thousands of organizations to understand the latest trends in cloud security posture.
www.datadoghq.com
4 6
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · 7d
The September edition of the Datadog Security Digest is out: securitylabs.datadoghq.com/newsletters/...
npm supply chain attacks, Amazon Bedrock security, and MCP vulnerabilities | Datadog Security Labs
This edition covers three major supply chain attacks targeting npm, two MCP security vulnerabilities, and multiple posts related to the Amazon Bedrock service.
securitylabs.datadoghq.com
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Sep 5
In case you missed it, the August edition of the Datadog Security Digest went out last week!

securitylabs.datadoghq.com/newsletters/...
Q2 threat report, prompt injection, and fwd:cloudsec Europe | Datadog Security Labs
This edition covers Datadog's Q2 threat report, new cloud security research, AI security vulnerabilities, application security findings, and upcoming community events
securitylabs.datadoghq.com
1
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Aug 26
CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions (patched)

securitylabs.datadoghq.com/articles/cla...

Zander Mackie
CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions | Datadog Security Labs
A critical vulnerability in older versions of the Claude Code for Visual Studio Code (VS Code) and other IDE extensions allowed malicious websites to connect to unauthenticated local WebSocket servers...
securitylabs.datadoghq.com
1
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Aug 21
MCP vulnerability case study: SQL injection in the Postgres MCP server. Comes with a full reproducible proof-of-concept

securitylabs.datadoghq.com/articles/mcp...

by Santiago Mola
MCP vulnerability case study: SQL injection in the Postgres MCP server | Datadog Security Labs
Learn how vulnerability in Anthropic's reference Postgres MCP server allowed us to bypass teh read-only restriction and execute arbitrary SQL statements.
securitylabs.datadoghq.com
2 1
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Aug 20
Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer

by @frichetten.com

securitylabs.datadoghq.com/articles/enu...
Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer | Datadog Security Labs
Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap.
securitylabs.datadoghq.com
4 5
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Jul 31
The July edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

• Cloud image investigator by @sethsec.bsky.social
• Our top picks for Black Hat / DEF CON
• A benchmark for LLM coding accuracy and security
• Malicious Homebrew installation campaign
.. and more
Preparing for Hacker Summer Camp and a new cloud image investigator | Datadog Security Labs
This month’s digest covers Hacker Summer Camp prep, a new cloud image investigator, and supply-chain vulnerabilities associated with the Open VSX Registry.
securitylabs.datadoghq.com
2 6
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Jul 29
Datadog guide to Hacker Summer Camp 2025, amd the top 50 talks we're excited about

securitylabs.datadoghq.com/articles/hac...
Datadog guide to Hacker Summer Camp 2025 | Datadog Security Labs
Get ready to take on Hacker Summer Camp with our guide on planning, prepping, and schedules for Datadog events.
securitylabs.datadoghq.com
1
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Jul 21
Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker

securitylabs.datadoghq.com/articles/bey...
Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker | Datadog Security Labs
This post reports on activity from the 'Mimo' threat actor.
securitylabs.datadoghq.com
1 2
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Jul 16
I SPy: Escalating to Entra ID's Global Admin with a first-party app

securitylabs.datadoghq.com/articles/i-s...

by @siigil.bsky.social
I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs
Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...
securitylabs.datadoghq.com
1 2
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Jul 15
Kubernetes security fundamentals, part 7: Public Key Infrastructure (PKI)

securitylabs.datadoghq.com/articles/kub...

by @mccune.org.uk
Kubernetes security fundamentals: PKI | Datadog Security Labs
A look at how PKI configuration in Kubernetes clusters works
securitylabs.datadoghq.com
1 6
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Jul 11
CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems

securitylabs.datadoghq.com/articles/git...
CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems | Datadog Security Labs
Learn more about the emerging vulnerability affecting Git.
securitylabs.datadoghq.com
3 26 40
Reposted by Datadog Security Labs
christophetd.fr
Christophe Tafani-Dereeper @christophetd.fr · Jun 23
Stratus Red Team AWS attack techniques are now mapped to the Threat Technique Catalog for AWS

Stratus Red Team AWS attack techniques: stratus-red-team.cloud/attack-techn...

Threat Technique Catalog by AWS: aws-samples.github.io/threat-techn...
2 7
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Jun 27
fwd:cloudsec is around the corner! Don't miss these 3 talks from Datadog researchers Seth Sec, Katie Knowles, Greg Foss, and Anthony Randazzo.

fwdcloudsec.org/conference/n...

@sethsec.bsky.social
@siigil.bsky.social
@gregfoss.com
2 4
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Jun 2
The obfuscation game: Threat actor targets Solidity developers via malicious VS Code extensions

securitylabs.datadoghq.com/articles/mut...

(published May 21, 2025)
The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions | Datadog Security Labs
Analysis of a threat actor campaign targeting Solidity developers via three malicious VS Code extensions
securitylabs.datadoghq.com
1 2 2
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · May 15
"Tales from the cloud trenches: The Attacker doth persist too much, methinks"

securitylabs.datadoghq.com/articles/tal...

New tactics observed include:
• Persistence-as-a-service with an external facing API Gateway
• Persistence through AWS SSO
• ConsoleLogin events from Telegram IP addresses
Tales from the cloud trenches: The Attacker doth persist too much, methinks | Datadog Security Labs
A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM
securitylabs.datadoghq.com
2 10
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · May 8
RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale

securitylabs.datadoghq.com/articles/red...
RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale | Datadog Security Labs
Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency.
securitylabs.datadoghq.com
2 5
Reposted by Datadog Security Labs
ikretz.bsky.social
Ian Kretz @ikretz.bsky.social · Apr 1
My colleague, Sebastian Obregoso, and I had the privilege of writing a guest post for OpenSSF's blog on how we detect malicious open source packages at @securitylabs.datadoghq.com using GuardDog.

Check it out here: openssf.org/blog/2025/03...
GuardDog: Strengthening Open Source Security Against Supply Chain Attacks – Open Source Security Foundation
openssf.org
1 2
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Mar 27
The March edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

• New MITRE ATT&CK coverage matrix in Stratus Red Team
• Compromised GitHub actions
• Malicious Maven packages
• Exploitation of SSRF vulnerabilities on the rise
• ... and more
Malicious Maven packages, SSRFs strike again, and stealing cloud credentials from web applications | Datadog Security Labs
This month’s digest has a little bit of everything—cloud threats, supply chain attacks, and a reminder that yes, attackers are still exploiting SSRFs.
securitylabs.datadoghq.com
2 2
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Mar 4
Interested in malicious software packages? Our open-source dataset just hit over 5,000 samples of malicious npm and PyPI packages!

github.com/DataDog/mali...
1 4
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Feb 27
The February edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

featuring @sethsec.bsky.social, @mccune.org.uk, @karimscloud.bsky.social, @jcfarris.bsky.social, and more
The whoAMI name confusion attack, modern phishing tactics, and K8s network security fundamentals | Datadog Security Labs
This February edition of the Datadog Security Digest dives into the
securitylabs.datadoghq.com
2 5
Reposted by Datadog Security Labs
frichetten.com
Nick Frichette @frichetten.com · Feb 26
Last May we shared our research on using AWS non-production endpoints for a variety of attack scenarios against AWS environments. These endpoints are easy to find and provide options for an adversary to evade detection. More recently, we have partnered with AWS to find 1/x
1 2 6
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Feb 26
The Datadog Security Digest is a monthly, practitioner-focused newsletter.

Don't miss our February edition going live tomorrow!

securitylabs.datadoghq.com/newsletters/...
4 5
Reposted by Datadog Security Labs
bleepingcomputer.com
BleepingComputer @bleepingcomputer.com · Feb 13
Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.
whoAMI attacks give hackers code execution on Amazon EC2 instances
Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.
www.bleepingcomputer.com
3 14
securitylabs.datadoghq.com
Datadog Security Labs @securitylabs.datadoghq.com · Feb 12
We're also releasing a new open-source tool, whoAMI-scanner, to scan for malicious AMIs in your environment!

github.com/DataDog/whoA...
2