Pathfinding.cloud, Prompt Injection Taxonomy, and spectacular vulnerability disclosure write-ups
Welcome to the January 2026 edition of the Datadog Security Digest!
This edition covers the launch of an AWS IAM privilege escalation knowledge base, a prompt injection knowledge base, and multiple exciting vulnerable disclosure write-ups. We hope you enjoy catching up on the latest in cloud, AI, and application security!
This newsletter was created by real people, not a machine. Your curators of the month are Seth Art and Daniel Maher.
Introducing Pathfinding.cloud
Datadog’s Pathfinding.cloud is an extensive knowledge base that documents the IAM permissions and permission sets that allow for privilege escalation in AWS. There are 65 sets of permissions currently documented, with attack visualizations, prerequisites, and remediation recommendations. There’s also a new contributing guide for anyone looking to add missing privilege escalation paths.
Cloud security
Allow one, allow all: When conditional access loses the plot
Graham Gold’s new series “What the Entra Fudge?” is all about the lessons you can learn when diving deep into Entra’s inner workings. In their first post, Graham shares an “expectations vs reality” story involving conditional access policies and how conditional access policies only see “user is authenticating to this app” and can’t differentiate by workload type. This is not what many who use conditional access policies expect.
CodeBreach: Hijacking AWS GitHub Repositories via CodeBuild
Yuval Avrahami and Nir Ohfeld from Wiz released some exceptional research that started with looking for AWS-owned GitHub repositories that used CodeBuild to create builds during the CI process and ended with gaining administrative access to AWS’s aws-sdk-js-v3 repo, which is used by the AWS console itself and many, many other projects.
Kubernetes-security.cloud: A Kubernetes security encyclopedia
Muhammad Yuga Nugraha’s newly launched kubernetes-security.cloud is an encyclopedia of terminology, attack patterns, defensive strategies, and tooling relevant to Kubernetes security. The site contains offensive and defensive knowledge base articles that explain how to exploit misconfigurations and how to harden clusters to avoid exploitation.
AI security
Pwning Claude Code in 8 different ways
RyotaK from GMO Flatt Security brought some classic hacking techniques to a shiny new technology and found eight ways to execute arbitrary commands in Claude Code without user approval. Claude Code uses an allowlist for commands, but up until RyotaK’s research, it used a blocklist when it came to command arguments. This blocklist approach fails unless you block every possible command argument that might allow for code execution. Thanks to RyotaK’s disclosure, Anthropic switched to using a blocklist for command arguments in Claude Code v1.0.93 and later!
Arcanum PI Taxonomy: A prompt injection attack classification system
Jason Haddix has released a website for his Arcanum Prompt Injection Taxonomy, which is a fantastic open source resource that defines and categorizes the many types of prompt injection attacks. The best part is that for each attack, he includes multiple example prompts that really understand how this attack is unique from others.
Private AI conversation sessions sold for profit by "privacy extensions"
Idan Dardikman at KOI explores a disturbing trend: browser VPN and privacy extensions that are stealing private AI conversations even as they purport to protect them! The extensions, which collectively have millions of downloads across Chrome and Edge, are loaded with very specific code to target popular consumer AI services, including Claude, ChatGPT, Grok, and more. Some of these extensions carry featured and verified badges on the Chrome Web Store, which makes the situation even more alarming.
Application security
Decoding the GitHub recommendations for npm maintainers
GitHub proposed a roadmap for hardening npm's package publishing infrastructure and offered specific guidance on actions that "npm maintainers can take today." While the advice is sound, it is also brief. In this blog post, our very own Daniel Maher explains what the actions refer to, why they are recommended, and how they will help keep the npm ecosystem—and, by extension, the modern internet—safe.
Deep dive into the EmEditor "WALSHAM" supply chain attack
December witnessed an extensive and sophisticated supply chain attack against EmEditor's official download channels. Complementary posts from PurpleOps and Qianxin dive into the attack, starting with an incorrect but cryptographically valid certificate. The threat actors were able to sneak a trojan into the software editor's downloads page that stole application credentials; it even installed a persistent browser extension to capture user input (and more).
Bug bounty hunter publishes write-ups for multiple account takeover vulnerabilities they reported to Meta and Facebook
Yousseff Sammouda dropped eight bug bounty write-ups this month, all submitted to, and rewarded by, Meta’s bug bounty program. Many of them involve Facebook and Meta account takeover, and contain some exceptional research and application security exploitation, including this zero-click account takeover that was awarded $250,000.
Community events and talks
Securi-tay 2026
Our own Rory McCune and Daniel Maher will both be presenting at Securi-tay on February 27 (Abertay, UK). Daniel will be talking about software supply chain security, and Rory will be talking about attacker persistence strategies in Kubernetes.
Wild West Hackin' Fest
Datadog is happy to be back at this cult classic conference, and this time we'll be on site with a bunch of detection engineers! Come through and say hi—we'd love to chat and learn more about what's on your mind, security-wise. See you in Denver, February 10-13!
BSides Seattle
Datadog’s Megan Roddie-Fonseca is speaking with Carson Zimmerman at BSides Seattle on February 27. Megan and Carson will be talking about how neurodivergent minds can be a superpower when it comes to pattern matching in the world of cybersecurity.