Autonomous offensive security agents, impactful application flaws, and fwd:cloudsec videos
Welcome to the June 2026 edition of the Datadog Security Digest!
This month's edition covers two cases where researchers created intentionally vulnerable cloud environments and unleashed autonomous, offensive security agents on them. Like many of us, the researchers are trying to understand the degree to which agentic capabilities are going to change the offensive and defensive security landscape. We've also included two writeups on impactful application security bugs that were affecting large sites (Instagram and GitHub), and we've included a link to the fwd:cloudsec North America 2026 talk playlist. We hope you enjoy this latest digest!
This newsletter was created by a real person, not a machine. Your curator of the month is Seth Art.
Introducing GuardDog 3.0: A new rules engine, transparent sandboxing, and more
GuardDog is Datadog's open source project for identifying malicious software packages, and it just got a big update! Version 3.0 now evaluates all heuristics for a specific software package together and gives each scanned package a maliciousness score based on a weighted scoring system. There are many other big changes that make this new version worth checking out, including a new sandbox layer that is enabled by default and a new Yara rules processing engine.
Cloud security
Entra Agent ID: Inside a cross-tenant agent compromise
Datadog's own Katie Knowles has been busy this month! In the first post in a new series, Katie explains how the Entra Agent identity model works. Katie explains that while Agent ID blueprints are like Entra applications in many ways, there are some key differences that you want to know about. In the second post, Katie demonstrates what would happen if the publisher of a blueprint that you use to create agents were to become compromised. Simply stated: You would also be compromised.
Incident Response in Kubernetes (AKS)
The team at Invictus has published the third and final installment in their series on incident response in Kubernetes. The first two posts focused on AWS (EKS) and Google Cloud (GKE), and this third post is all about Azure and AKS. The post covers the defaults for logging in AKS and the IR tradeoffs between AKS automatic and regular modes. The team also created an open source tool called KubeForenSys for use in situations where you need to start an investigation in an environment where none of the helpful logging options have been set.
Mapping Every Privilege Escalation Path in AWS AgentCore
Sergio Garcia from Beyond Trust Phantom Labs has published multiple AWS IAM privilege escalation paths within the Bedrock AgentCore service, along with proof-of-concept demonstrations for each attack. This research should serve as a reminder: We all need to use the principle of least privilege when assigning IAM roles to our agentic workloads, including those that live within a managed service like Bedrock AgentCore.
AI security
Mapping AI-enabled cyber threats: Insights from the LLM ATT&CK Navigator
The red team at Anthropic published a report summarizing the types of attacks they saw after analyzing 832 accounts associated with malicious cyber activity between March 2025 and March 2026. The report shows that, just like us law-abiding citizens, attackers are using AI to become more efficient. And also like us, attackers who are building better agentic scaffolding are going to be even more efficient and effective than those who do not. This type of public report is extremely helpful to defenders everywhere. Here's one takeaway from the article that resonates with us: "It is clear that defenders will need to use AI with the same sophistication and urgency as attackers."
Can AI Attack the Cloud?
Yahav Festinger and Chen Doytshman from Unit 42 created a multi-agent penetration testing PoC and let it run against an intentionally vulnerable Google Cloud environment. They wanted to see for themselves how well an agentic system could do against such an environment. They mapped out how they designed the system to operate and some of the outcomes. They were impressed with the speed and creativity of the agents, but they also noted that the agents sometimes got stuck in rabbit holes (much like humans penetration testers do).
Canaries against autonomous AI attackers
The team at Tracebit also created an autonomous offensive security AI agent and ran it against an intentionally vulnerable cloud range, this time in AWS. They set out to understand how their deception canaries work against autonomous agents. Do the agents trip the canaries? Can they still be used as early warning systems? They determined that the answer is yes in both cases, even when the models were warned that deception might be present. The post below and the related research report are both really interesting.
Application security
Hackers Used Meta's AI Support Bot to Seize Instagram Accounts
In another case of "same old AppSec vulnerabilities, just in new technologies," we have multiple reports that attackers gained access to thousands of high-profile Instagram accounts by exploiting missing email validation controls within the AI chatbot system used to report abuse. All the attacker needed to do was use a VPN to make their IP address appear geographically closer to the victim, and then ask the chatbot to send the new password to an email that the attacker controls. The chatbot was missing email validation checks. Meta has fixed this issue, but it should serve as a reminder to all of us: We can do amazing things with agents, but we can't forget about foundational application security principles.
From single pull requests to full software packages: Detecting malicious code at scale
In October 2025, we first wrote about BewAIre, the tool we've created and have been using internally to analyze pull requests for maliciousness. This month, the team published a new post that walks through how BewAIre evolved from an LLM-based pull request reviewer into a system for scanning dependency packages and upstream registries. They describe the two-phase approach they used to decrease cost and increase detection accuracy, and how they were able to make the switch to scanning entire packages.
1-Click GitHub Token Stealing via a VSCode Bug
Ammar Askar found a way to exploit users of github.dev, the browser-based VS Code environment GitHub opens for repositories. If a user simply opens a specially crafted GitHub.dev link while logged in to GitHub, the attacker can access an OAuth token scoped to the victim's GitHub account. This token was not limited to the single repository being opened; it could access other repositories the user had access to, including private ones. One novel component within this attack is that the exploit chain uses web-based shortcuts to install a malicious extension.
Community events and talks
Video recordings for fwd:cloudsec North America are available
The fwd:cloudsec North America conference took place in Bellview, Oregon, on June 1 and June 2. I (Seth) gave a talk called "Discovering New AWS Privilege Escalation Paths with an AI-Driven Workflow." One of the most unique and most talked about, and one of my personal favorites, is "Stop Building Custom Agent Identity," co-presented by Sarah Cecchetti and Sarah's AI agent Clawdrey Hepburn. As always, there were many amazing talks, and you can find them all on the YouTube playlist linked below.
State of DevSecOps Livestream
On July 8, Datadog's Kennedy Toomey and Daniel Maher will be joined by Ashish Kurmi from StepSecurity and Ryan Henrich from RapDev to discuss the findings published in our State of DevSecOps report earlier this year.