Compromised axios npm package delivers cross-platform RAT | Datadog Security Labs An attacker hijacked an axios maintainer's npm account to publish malicious releases that deliver a cross-platform RAT.

Compromised axios npm package delivers cross-platform RAT

securitylabs.datadoghq.com/articles/axi...

LiteLLM compromised on PyPI: Tracing the March 2026 TeamPCP supply chain campaign

securitylabs.datadoghq.com/articles/lit...

When an AI agent came knocking: Catching malicious contributions in Datadog’s open source repos | Datadog Learn how Datadog detected and resolved issues from hackerbot-claw, an AI-powered automated attack campaign.

When an AI agent came knocking: Catching malicious contributions in Datadog’s open source repos

www.datadoghq.com/blog/enginee...

Behind the console: Active phishing campaign targeting AWS console credentials | Datadog Security Labs Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure.

Behind the console: Active phishing campaign targeting AWS console credentials

securitylabs.datadoghq.com/articles/beh...

Hook, line, and vault: A technical deep dive into the 1Phish kit | Datadog Security Labs We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users.

Hook, line, and vault: A technical deep dive into the 1Phish kit targeting 1Password users

securitylabs.datadoghq.com/articles/hoo...

Tech impersonators: ClickFix and MacOS infostealers

securitylabs.datadoghq.com/articles/tec...

Tech impersonators: ClickFix and MacOS infostealers | Datadog Security Labs Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers.

Tech impersonators: ClickFix and MacOS infostealers

securitylabs.datadoghq.com/articles/tec...

Introducing IDE-SHEPHERD: Your shield against threat actors lurking in your IDE | Datadog Security Labs IDE-SHEPHERD is an open-source IDE security extension that provides real-time monitoring and protection for VS Code and Cursor. It intercepts malicious process executions, monitors network activity, a...

IDE-SHEPHERD is a new open source project to identify malicious VSCode and Cursor extensions at runtime

Announcement: securitylabs.datadoghq.com/articles/ide...
GitHub: github.com/DataDog/IDE-...

Decoding the GitHub recommendations for npm maintainers | Datadog Security Labs This blog post explores the rationale and implementation behind GitHub's security recommendations for npm maintainers following numerous high-profile supply-chain incidents. It details how hardening p...

Decoding the GitHub recommendations for npm maintainers

securitylabs.datadoghq.com/articles/dec...

by @phrawzty.com

Introducing Pathfinding.cloud, a library of privilege escalation paths in AWS

securitylabs.datadoghq.com/articles/int...

by @sethsec.bsky.social

Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users

securitylabs.datadoghq.com/articles/inv...

Update: A PoC was made available on GitHub by a security engineer. Our post was updated to reflect this new information, along with an illustration of how the exploit works.

CVE-2025-55182 (React2Shell): Remote code execution in React Server Components and Next.js

securitylabs.datadoghq.com/articles/cve...

2025 threat reports, Kubernetes version adoption, and how attackers use AI | Datadog Security Labs This edition covers 2025 threat reports, Kubernetes version adoption, and how attackers use AI

The November Datadog Security Digest is out!

• A 2025 look at real-world Kubernetes version adoption by @mccune.org.uk
• Datadog threat roundup: Top insights for Q3 2025
• Analyzing network traffic from coding agents

... and more!

securitylabs.datadoghq.com/newsletters/...

A few days ago, a new piece of malware started spreading in npm, compromising and backdooring hundreds of legitimate npm packages and GitHub users. Read the analysis from our security research team:

securitylabs.datadoghq.com/articles/sha...

MUT-4831: Trojanized npm packages deliver Vidar infostealer malware | Datadog Security Labs Analysis of a threat actor campaign targeting Windows users with Vidar infostealer malware via malicious npm packages

MUT-4831: Trojanized npm packages deliver Vidar infostealer malware

securitylabs.datadoghq.com/articles/mut...

In this post, Lorenzo Susini demonstrates that runtime security can be valuable to identify software supply chain attacks. As an example, this is the process tree of a malicious npm package harvesting credentials

A runtime security approach to detecting supply chain attacks | Datadog Security Labs Detecting software supply chain attacks through runtime security.

A runtime security approach to detecting supply chain attacks

securitylabs.datadoghq.com/articles/sup...

by Lorenzo Susini, Detection Engineer

Datadog threat roundup: Top insights for Q3 2025 | Datadog Security Labs Threat insights from Datadog Security Labs for Q3 2025.

Datadog threat roundup: Top insights for Q3 2025

securitylabs.datadoghq.com/articles/202...

Learnings from recent npm supply chain compromises | Datadog Security Labs A look at recent npm supply chain compromises and how we can learn from them to better prepare for future incidents.

Learnings from recent npm supply chain compromises

securitylabs.datadoghq.com/articles/lea...

The State of Cloud Security, MCP Risks, and Azure vulnerabilities | Datadog Security Labs This edition covers The State of Cloud Security, MCP Risks, and Azure vulnerabilities

The October edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing | Datadog Security Labs Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by which a Copilot Studio agent's login settings can redirect a user...

CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing

securitylabs.datadoghq.com/articles/cop...

by @siigil.bsky.social

State of Cloud Security | Datadog For our 2025 report, we analyzed AWS, Google Cloud, and Azure data from thousands of organizations to understand the latest trends in cloud security posture.

Our State of Cloud Security 2025 study is out!

www.datadoghq.com/state-of-clo...

• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access

npm supply chain attacks, Amazon Bedrock security, and MCP vulnerabilities | Datadog Security Labs This edition covers three major supply chain attacks targeting npm, two MCP security vulnerabilities, and multiple posts related to the Amazon Bedrock service.

The September edition of the Datadog Security Digest is out: securitylabs.datadoghq.com/newsletters/...

Q2 threat report, prompt injection, and fwd:cloudsec Europe | Datadog Security Labs This edition covers Datadog's Q2 threat report, new cloud security research, AI security vulnerabilities, application security findings, and upcoming community events

In case you missed it, the August edition of the Datadog Security Digest went out last week!

securitylabs.datadoghq.com/newsletters/...

CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions | Datadog Security Labs A critical vulnerability in older versions of the Claude Code for Visual Studio Code (VS Code) and other IDE extensions allowed malicious websites to connect to unauthenticated local WebSocket servers...

CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions (patched)

securitylabs.datadoghq.com/articles/cla...

Zander Mackie

MCP vulnerability case study: SQL injection in the Postgres MCP server | Datadog Security Labs Learn how vulnerability in Anthropic's reference Postgres MCP server allowed us to bypass teh read-only restriction and execute arbitrary SQL statements.

MCP vulnerability case study: SQL injection in the Postgres MCP server. Comes with a full reproducible proof-of-concept

securitylabs.datadoghq.com/articles/mcp...

by Santiago Mola

Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer | Datadog Security Labs Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap.

Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer

by @frichetten.com

securitylabs.datadoghq.com/articles/enu...

Preparing for Hacker Summer Camp and a new cloud image investigator | Datadog Security Labs This month’s digest covers Hacker Summer Camp prep, a new cloud image investigator, and supply-chain vulnerabilities associated with the Open VSX Registry.

The July edition of the Datadog Security Digest is out!

securitylabs.datadoghq.com/newsletters/...

• Cloud image investigator by @sethsec.bsky.social
• Our top picks for Black Hat / DEF CON
• A benchmark for LLM coding accuracy and security
• Malicious Homebrew installation campaign
.. and more

Datadog guide to Hacker Summer Camp 2025 | Datadog Security Labs Get ready to take on Hacker Summer Camp with our guide on planning, prepping, and schedules for Datadog events.

Datadog guide to Hacker Summer Camp 2025, amd the top 50 talks we're excited about

securitylabs.datadoghq.com/articles/hac...