LLMs, leaks, and exploits - From AI threats to GitHub attacks

Welcome to the April 2025 edition of the Datadog Security Digest!
From emerging threats in AI and LLM integrations to critical vulnerabilities in popular frameworks and developer tools, this month’s security landscape is packed with lessons and alerts. We dive into the rise of the Model Context Protocol (MCP), a wave of supply chain attacks, and the latest efforts in threat detection and response. Whether you're tracking CVEs or securing your CI pipeline, there's something here for every security-minded reader.
This newsletter was curated by a human rather than by using MCP and a browser! Your human of the month is Rory McCune.
AI and LLM security
MCP is gaining momentum while presenting security challenges
MCP, which extends LLM capabilities to use external systems, has gained a lot of traction as new MCP servers pop up daily. Of course, as with any emergent technology, there are security challenges to address. One of the main challenges is the risk of prompt injection. Simon Willison has a roundup of some of the key issues. Omar Santos also provides a deep dive into MCP security on the Cisco community security blog.
Google announces Sec-Gemini v1, a new experimental cybersecurity model
As the LLM field continues to expand, we're seeing more specialized models dedicated to specific areas of knowledge and tasks. Google is releasing Sec-Gemini v1, a specialized cybersecurity model that touts access to up-to-date security information as a key benefit that general models can lack. In this post, Elie Burzstein and Marianna Tishchenko from the Sec-Gemini team explain the benefits they see from using this kind of specialized model.
Application security
CVE-2025-29927: The Next.js middleware authorization bypass vulnerability
A new vulnerability was found in the popular Next.js framework. The vulnerability allows attackers to bypass authorization checks in affected applications. The Datadog Security Research team explains the vulnerability and provides details of real-world exploitation.
Supply chain security
GuardDog: Strengthening open source security against supply chain attacks
Managing supply chain risks is increasingly difficult as threat actors target popular language ecosystems with a variety of attacks designed to compromise applications via their dependencies. On the OpenSSF Blog, Ian Kretz and Sebastián Obregoso explain how Datadog's open source GuardDog project helps to protect application developers by discovering malicious dependencies in npm and PyPi.
Mining in plain sight: The VS Code extension cryptojacking campaign
Visual Studio Code plugins are another frontier in the supply chain security world that's attracting more attention from attackers and researchers at the moment. In this post, Yuval Ronen from ExtensionTotal provides details about a cryptocurrency mining campaign of malicious VS Code extensions that targeted developers.
CodeQLEAKED – Public secrets exposure leads to supply chain attack on GitHub CodeQL
GitHub is a foundational part of the development processes for many organizations, so attacks on its software and services can have significant effects. This post from John Stawinski of Praetorian details a vulnerability in a piece of software provided by GitHub for CodeQL scanning. The investigation starts with a secret exposed by GitHub that leads to the potential for an attacker to push code to a GitHub repository used by any organization that uses GitHub's CodeQL action.
GitHub Actions and the pinning problem: What 100 security projects reveal
Another post about GitHub Actions explores how well open source projects mitigate the risk of malicious actions. The post provides detail about how popular projects do (or don't) pin the actions they use. It also discusses some of the complexity of pinning when there are hierarchies of actions in use and when there are transitive dependencies that might not follow good practice.
Container security
Evaluating container security with Container Hardening Priorities: Some CHPs for your SLSA
Chainguard has recently released a standard and tooling to help organizations prioritize their container image hardening efforts. Container Hardening Priorities (CHPs) provide guidance about which steps to take to improve the security posture of a specific container image. In this post, Adrian Mouat details the motivation and background for this new standard and explains how to get started with it.
Threat detection and incident response
CrushFTP exploitation continues amid disclosure dispute
Recent attacks on CrushFTP file transfer software show some interesting aspects of vulnerability disclosure and attacker behavior. These attacks follow the trend of attackers targeting external-facing software that has access to sensitive information. This post from Rob Wright of Dark Reading focuses on some of the problems of vulnerability disclosure and CVE assignment, with CrushFTP disputing the initially applied CVE.
My 2025 detection philosophy and the pursuit of immutable artifacts
A perennial problem of threat detection is knowing what to log and how to effectively detect attacks. In this post, Daniel Koifman details his approach to this problem by focusing on the key aspects of attacks that do not change regardless of what tool was used to execute the attacks. These "immutable artifacts" are key to creating high-quality detections.
Community events and talks
Datadog’s Christophe Tafani-Dereeper appeared on the NoLimitSecu podcast to discuss supply chain security (in French).
At Google Cloud Next in Las Vegas, Datadog’s Megan Roddie-Fonseca discussed some of the dangers of Google Cloud default service accounts. Megan explored details of how excessive permissions can be granted and addressed how this risk can be mitigated.
Find the Security Labs team at RSA
Datadog Security Labs researchers are leading four main stage sessions at RSA. The researchers also will be present when Datadog hosts several informal networking happy hours at the event.