Axios compromised, unpatchable Kubernetes vulns, and all things AI security
Welcome to the April 2026 edition of the Datadog Security Digest!
This edition covers the axios compromise, two deep dives into unpatchable Kubernetes vulnerabilities, and all things AI security. We hope you enjoy catching up on the latest in cloud security!
This newsletter was created by real people, not a machine. Your curator of the month is Kennedy Toomey.
Compromised axios npm package delivers cross-platform RAT
At the end of March, axios was compromised as attackers hijacked a maintainer’s account and added a trojanized dependency. Our own Christophe Tafani-Dereeper detailed what happened, analyzed the payload, and provided guidance to prevent similar attacks.
AI security
Assessing Claude Mythos Preview’s cybersecurity capabilities
Learn how Claude Mythos Preview can identify zero-day vulnerabilities, including chaining multiple issues into complex exploits, and uncover hard-to-detect flaws that have gone unnoticed for over a decade.
When an attacker meets a group of agents: Navigating Amazon Bedrock's multi-agent applications
Follow along as Jay Chen and Royce Lu examine the capabilities of multi-agent collaboration with Amazon Bedrock Agents from a red-team perspective. Understand what built-in protections exist and how to defend against possible attacks.
NomShub: Weaponizing Cursor's remote tunnel through indirect prompt injection and sandbox breakout
A critical vulnerability chain affecting Cursor, named NomShub, allows an attacker to gain persistent, authenticated shell access to a machine when a malicious repository is opened. Indirect prompt injection is combined with two security failures, sandbox breakout and tunnel hijack, to create this vulnerability.
Critical vulnerability in Claude Code emerges days after source leak
The Claude Code source code was not the only problem that Anthropic faced at the end of March. A critical vulnerability was discovered that could allow hard-blocked deny rules to be bypassed.
Inside an AI-enabled device code phishing campaign
Microsoft identified a phishing campaign that circumvented the standard expiration window for device codes. The research highlighted that AI-driven infrastructure was used instead of the static scripts that we’ve seen in the past.
Supply chain security
Attackers are hunting high-impact Node.js maintainers in a coordinated social engineering campaign
The compromised axios maintainer was not the only one to receive a targeted social engineering attack. Learn more about who else was targeted, how the attack works, and why open source maintainers are now the targets.
The case for dependency cooldowns in a post-Axios world
Supply chain attacks are not going away anytime soon. Learn about the dangers of installing dependencies within a day of release and how dependency cooldowns can help slow the spread of certain attacks.
Open source security at Astral
Astral, builders of next-generation Python tooling, share techniques on how they secure their tools to help users, maintainers, and CI/CD developers. They highlight their approach to CI/CD security, including automations, releases, and dependencies.
Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign
Bitwarden, a popular password manager, was briefly impacted by a supply chain attack linked to a broader campaign targeting Checkmarx. A malicious version of the Bitwarden CLI was published to npm and available for less than two hours. The incident affected the CLI package distribution, not users’ vault data.
Cloud security
Unpatchable vulnerabilities of Kubernetes: CVE-2020-8561
Rory McCune continues his series detailing unpatchable Kubernetes vulnerabilities, this time highlighting a vector for server-side request forgery (SSRF). Learn more about the technical details of this CVE and mitigations to prevent exploitation.
Unpatchable vulnerabilities of Kubernetes: CVE-2020-8562
One deep dive into an unpatchable Kubernetes vulnerability wasn’t enough! In another addition to the series, Rory details the potential to bypass the Kubernetes API server proxy by exploiting a time-of-check to time-of-use (TOCTOU) vulnerability.
Community events and talks
Catch up on [un]prompted talks
The first [up]prompted took place in San Francisco at the beginning of March. Datadog’s Arthi Nagarajan delivered “Exploring the AI Automation Boundary for Threat Hunting at Datadog,” and Olivia Gallucci delivered “macOS Vulnerability Research: Augmenting Apple’s Source Code and OS Logs with AI Agents” at the conference.