Malicious VS Code extensions, fwd:cloudsec is around the corner, and weaponizing Dependabot
Welcome to the June 2025 edition of the Datadog Security Digest!
This month’s digest covers attackers targeting cloud environments and developers, a smart way to abuse Dependabot, and exciting upcoming talks at fwd:cloudsec North America.
This newsletter was curated by a human, not an LLM. Your human of the month is Christophe Tafani-Dereeper.
Cloud security
Threat technique catalog for AWS
AWS released a list of attack techniques they have seen in customer environments. It includes things you'd expect, like creating an IAM user, but also more exotic strategies such as persisting with an API Gateway, as we witnessed ourselves a few weeks ago. It also comes with CloudTrail event names for each technique.
Persisting unseen: Defending against Entra ID persistence
Our own researcher Katie Knowles shares a deep dive into how attackers can (and do) backdoor Entra ID tenants. Starting from the basics, Katie explores advanced techniques such as using administrative units (AUs) to hide malicious accounts.
Tighter defaults for AWS IAM OIDC providers
Two years ago, we found a number of insecure AWS IAM roles that allowed any GitHub Action to assume them. As of June 6, AWS automatically blocks the creation of such vulnerable roles when you work with GitHub, GitLab, Terraform Cloud, and more. This is a great way to close a whole class of vulnerabilities, although existing vulnerable roles remain an issue.
Supply-chain security
Malicious VS Code extensions targeting smart-contract developers
Datadog's security research team identified several malicious VS Code extensions targeting developers who use Solidity, a language for writing smart contracts on the Ethereum blockchain. After several stages of deobfuscation and downloading malicious payloads, the browser extensions drop the Quasar Remote Access Trojan (RAT) on the infected machine. The technique is interesting: hiding a piece of malicious code inside the metadata of an image.
Open dataset of malicious software packages
We're continuing to maintain our open dataset of malicious PyPI and npm packages, now counting over 7,800 samples. It's exciting to see research papers that make use of the dataset. If you're looking for a research project, want to see what malicious packages look like in the wild, or just have too much free time on your hands, dig through it!
Application security
Weaponizing Dependabot
Dependabot is great for keeping third-party libraries up to date, but it can become noisy when you have a lot of them. A number of repositories solve this problem by automatically merging Dependabot pull requests. Unfortunately, there's a clever way for attackers to trigger Dependabot PRs that include malicious code.
Fun with CVSS scores
CVSS scores are the de facto standard for prioritizing vulnerabilities. Jacques Chester shares an in-depth and interactive post about the inner workings of this scoring mechanism. We never would have thought that playing around with CVSS scores could be so entertaining!
Using LLMs to prioritize vulnerabilities
Can you take all your vulnerabilities, throw them at an LLM, and hope it'll tell you what to fix first? That's the question that Daniel Grzelak tries to answer in this post. Spoiler: No—but it can be a valuable approach if you tell the LLM what you care about and your input has enough metadata to be contextualized.
Threat detection and incident response
GitHub device code phishing
Azure and AWS device code phishing is a known and risky attack vector that completely bypasses controls such as MFA and device posture checks. The Praetorian team shares how they've used a similar technique in engagements to compromise GitHub accounts.
Russian-affiliated threat actor targeting Microsoft 365 and Entra ID environments
Invictus IR is at it again and reporting on a threat actor they've seen operate in the wild to compromise cloud environments. The threat actor uses stolen session cookies, spear phishing emails, and residential proxies—not a great mix when you're a defender.
A crash course on information stealers
Infostealers are a common type of malware that attempt to steal your credentials, session cookies, and other data. Lindsey O'Donnell-Welch shares a great history of infostealers and law enforcement operations that target them.
Community events and talks
fwd:cloudsec North America is around the corner
fwd:cloudsec North America is a vendor-neutral cloud security conference for practitioners. It's taking place on June 30–July 1 in Denver, Colorado, and is livestreamed for free. Besides being a Gold sponsor for the event, we also have no fewer than three talks from our researchers:
- whoAMI: Discovering and exploiting a large-scale AMI name confusion attack
- Patience brings prey: Lessons learned from a year of threat hunting in the cloud
- I SPy: Rethinking Entra ID research for new paths to Global Admin
You can get notified when the livestream starts by signing up for email updates.
Datadog Detect talks are now available
If you missed Datadog Detect, our first technical event covering modern detection engineering topics, the recording is now available. It includes talks from Rich Mogull (FireMon), Wade Wells (1Password), and Haider Dost (Snowflake).
BSides San Francisco recordings
BSides San Francisco hosted many great talks during its 2025 annual edition. Don't miss our very own Kennedy Toomey sharing how she's disappointed—not mad—with traditional AppSec tooling.