Malicious Maven packages, SSRFs strike again, and stealing cloud credentials from web applications
Welcome to the March 2025 edition of the Datadog Security Digest!
This month’s digest has a little bit of everything—cloud threats, supply chain attacks, and a reminder that yes, attackers are still exploiting SSRFs. We’re looking at password spraying disguised as Microsoft traffic, GitHub Actions getting compromised, and JavaGhost making itself at home in cloud environments. Plus, if you’re heading to KubeCon Europe, there’s plenty of security content to check out. Let’s get into it!
This newsletter was curated by a human, not an LLM. Your human of the month is Christophe Tafani-Dereeper.
Cloud security
'JavaGhost' threat actor leverages compromised cloud environments to run phishing attacks
JavaGhost is a threat actor targeting cloud environments that we've reported on in the past. Unit42 now highlights additional activity observed during recent engagements. This includes leveraging Amazon SES and WorkMail to launch phishing attacks, creating IAM users, attempting to disassociate AWS accounts from their AWS Organizations, and enabling new AWS regions.
Password-spraying Entra ID tenants through the Microsoft IP range
Account takeover in Entra ID / Microsoft 365 remains one of the most prevalent security threats organizations face. Security researcher Matan Bahar demonstrates how attackers can disguise password-spraying attacks by leveraging Microsoft’s IP space. Because these authentication attempts originate from trusted infrastructure, they are far more likely to bypass scrutiny from security engineers. While this behavior is "by design," it serves as an important reminder not to rely solely on IP reputation for threat detection.
Stratus Red Team now has a MITRE ATT&CK coverage matrix
Stratus Red Team now includes a visual representation of its coverage across MITRE ATT&CK tactics for all six supported platforms. This helps you test your detections across several stages of an attack's lifecycle. Thank you to Anthony Mendonca for this valuable contribution!
AWS Security Digest
If you're working heavily with AWS, the AWS Security Digest is a great resource to keep up to date with the latest security research and AWS API changes. It's also run by Daniel Grzelak, who's one of the first people on Earth to give a talk on cloud security research back in 2016!
Supply-chain security
Compromised GitHub actions affecting thousands of repositories
A widely used GitHub Action, tj-actions/changed-files, was compromised and exploited to inject malicious code. This code extracts credentials from running pipelines and exposes them in the pipeline output. Security researcher Rami McCarthy later discovered that additional compromised actions include several ones published by reviewdog, and were ultimately attempting to compromise a Coinbase repository. To help identify if your repositories are affected, here’s a GitHub search to check for any use of these compromised actions between March 11 and March 18.
Maven has malicious packages, too!
We're used to seeing hundreds of malicious npm and PyPI packages every week. It's less common to see such artifacts on Maven, Java's package ecosystem. However, Socket's Kush Pandya uncovered a malicious OAuth library that typosquats and mimics the functionality of a legitimate one. The malicious code only activates on the 15th day of each month, exfiltrating valid credentials to the attacker.
Application security
Critical vulnerability in the Kubernetes Ingress NGINX Controller
On March 24, researchers disclosed a set of five vulnerabilities, collectively known as "IngressNightmare,” affecting ingress-nginx and allowing for remote code execution and privilege escalation. If you're using this highly-popular component, make sure to upgrade it to a patched version! We wrote down the TL;DR about these vulnerabilities, how to remediate them and detection opportunities.
12k exposed secrets in publicly accessible LLM training data
Common Crawl is an open repository of web crawl data that's often leveraged to train Large Language Models (LLMs). TruffleHog's Joe Leon scanned it and found over 12k valid API keys and passwords, including AWS access keys, Mailchimp API keys, and Slack webhooks. This highlights that without proper safeguards, LLMs tend to reproduce widespread bad security practices such as hardcoding API keys and using long-lived credentials, as demonstrated by recent research [1][2][3].
OIDC deployments leaking private keys
OpenID Connect (OIDC) deployments publish their public keys available in an URL referenced at .well-known/openid-configuration. However, Hanno Böck discovered that dozens of deployments also expose their private keys. This misconfiguration allows attackers to generate valid authentication tokens for the affected OIDC provider, effectively bypassing authentication.
Exploitation of SSRF vulnerabilities on the rise
Server-Side Request Forgeries (SSRFs) were coined over 25 years ago, in a publication in the Phrack magazine. Since then, SSRF has remained a major cause of cloud data breaches and even earned its own category in the OWASP Top 10 in 2021. Greynoise recently reported a sharp increase in attackers exploiting known SSRF vulnerabilities in software like GitLab, Zimbra, or VMWare vCenter, since March 9. This serves as a reminder that remote code execution vulnerabilities aren't the only high-impact attack vector, and that SSRFs can be just as damaging.
Threat detection and incident response
Measuring success in threat detection
How can you know if your threat detection program is effective, or whether it's improving over time? Drawing on Datadog's internal threat detection team experience, Mallory Mooney walks through several valuable metrics—including mean time to detect, mean time to acknowledge, and mean time to resolve—and how to implement SLOs around them.
Key log sources for responding to cloud incidents
Incident response teams often respond to incidents where the appropriate logs for investigating aren't available. Invictus Incident Response's Korstiaan Stam outlines the key log sources to enable in Azure, Entra ID, Google Cloud, and AWS. Each log source contributes to the overall picture, making it crucial to centralize and index them for efficient querying. A word of caution: Avoid indiscriminately enabling noisy event sources like CloudTrail data events. Instead, prioritize logging for your most critical assets and assess whether tracking reads or writes is more valuable. For example, an S3 bucket storing release artifacts is best suited for write data events, which are typically far less noisy than read events.
Community events and talks
At Insomni'hack 2025 in Lausanne 🇨🇭, Christophe Tafani-Dereeper showcased techniques for exploiting application-level vulnerabilities to steal cloud credentials of workloads running in various cloud services. Rory McCune also shared several techniques attackers can use to persist in a compromised Kubernetes cluster.
Meanwhile, across the Atlantic: at SunSecCon, Kennedy Toomey explored how open source detection rules can benefit attackers (slides). At SCALE 22x, she drew parallels between defense-in-depth strategies and American football tactics (recording, slides).
If you're attending KubeCon Europe (April 1-4), don't miss "Hacking Up a Storm With Kubernetes" by Rory and Marion McCune and Ian Smart—an interactive, hands-on session on attacking Kubernetes clusters.
Find the Security Labs team at RSA
Datadog Security Labs researchers are leading four main stage sessions at RSA. We're also hosting several informal happy hours at the event where our researchers will be present.