Malicious AI skills, compromised npm packages, and 100+ intentionally vulnerable AWS environments
Welcome to the May 2026 edition of the Datadog Security Digest!
This month has a variety of content with a number of supply-chain attacks (including some chain reactions), an exciting Datadog open source release, and some great community content coming up at fwd:cloudsec and USENIX Security. As always, thank you for reading, and feel free to reply to this email for questions and feedback!
This newsletter was created by a real person, not a machine. Your curator this month is Christophe Tafani-Dereeper.
Pathfinding Labs: Deploy, test, and learn from 100+ intentionally vulnerable AWS environments
There's a quote I like from Louis Pasteur, a famous French scientist: "Without laboratories, men of science are soldiers without arms". I've always been a strong proponent of reproducible labs for learning how to build and break technologies, and the cloud is no exception. A few days ago, Seth Art released Pathfinding Labs, a set of 100+ Terraform-based labs with intentionally vulnerable AWS environments ready for you to experiment with!
If you're attending fwd:cloudsec North America this week in Bellevue, WA (or plugging in to the free livestream), Seth is presenting the research behind it: Discovering New AWS Privilege Escalation Paths with an AI-Driven Workflow.
Cloud & container security
CISA leak
A CISA contractor leaked a GitHub repository containing privileged AWS access keys for 3 CISA GovCloud accounts, stored in a file named "Important AWS Tokens.txt". Despite the six-month exposure window passing seemingly unnoticed, CISA reassuringly shared there was "no indication that any sensitive data was compromised". The repository got taken down quickly, but the keys remained valid for 48 more hours. This story illustrates the danger of long-lived static cloud credentials and reinforces that eliminating them should be a top priority for every cloud security team. GovCloud provides security, isolation, and compliance guarantees, but leaked credentials remain usable by anyone on the internet who targets the appropriate AWS endpoint.
Kubernetes security fundamentals: Secrets
Datadog's own Rory McCune shares the latest of his Kubernetes security fundamental series about secrets. Did you know that the seemingly harmless list secrets permission actually grants full read access to all your secrets?
AI security
Malicious Coding Agent Skills and the Risk of Dynamic Context
It's always interesting to hear an attacker's perspective on AI security, and Nick Frichette definitely has that mindset. He and Ryan Simon describe several ways to abuse coding agents using malicious skills. The key point: a skill can execute commands before Claude even sees it, using the "!command" syntax. It's only a matter of time before attackers exploit this (if it hasn't happened already).
Abusing managed Claude hooks to gain remote code execution
Speaking of red teamers messing with AI, Benedikt Haussner shared an impressive write-up on an attack vector targeting organizations not yet using Claude. The attacker creates a Team in the Claude console, invites their target into it, then gains RCE by configuring malicious managed Claude hooks that execute automatically on the target's machine.
Supply chain security
A hands-on supply chain security guide
You might have heard that supply chain security is somewhat of a concern for most engineering teams. In 2025 and 2026, many popular npm and PyPI packages were compromised, some used to spread worms. The Bugscale team put together a hands-on guide to securing your software supply chain, built around a prioritization framework and technical controls for Node.js, Python, Go, and Java. They're eager for contributions, so have a look, play with it, and share your ideas!
(Even) more backdoored packages
When I started investigating malicious packages back in 2023, they were somewhat hard to find, and compromised popular npm/PyPI packages were close to unheard of. In 2026, documented cases flourish every week, often fueled by massive credential harvesting campaigns targeting developers and maintainers (such as Shai-Hulud or the Axios compromise).
This month was no exception. Several packages were compromised and backdoored in various ways: node-ipc, Cemu, and hundreds of others in two different waves (first, second) of an npm worm dubbed "Mini Shai-Hulud".
The node-ipc case is particularly interesting as it uses DNS TXT queries for data exfiltration.
GitHub compromised by a malicious VSCode extension
A GitHub employee installed a poisoned VSCode extension, leading to the exfiltration of 3,800 internal GitHub repositories. It appears this originated from the Nx Console extension, whose developer was compromised in the Tanstack supply-chain attack. GitHub released a statement titled "Investigating unauthorized access to GitHub-owned repositories", since renamed to "Investigation update: GitHub Enterprise Server signing key rotation".
Community events and talks
fwd:cloudsec North America is around the corner!
fwd:cloudsec is the first vendor-neutral cloud security conference for practitioners, and its seventh edition is taking place June 1-2, 2026. The best thing? It's livestreamed for free! My personal top picks: "What Building an AI Worm Taught Us About Stopping One", "Context-Aware Authorization for Agentic Tool Calls", and "Data Perimeters: Beyond the Marketing".
USENIX Security 2026 papers are out
USENIX Security is a sweet mix of academia and industry research. Most people in academia know it, while many industry practitioners don't. Papers are open access, and there are always some gems. My personal favorite this year is "PrivacyShield: Relaying BLE Beacons to Counter Unsolicited Tracking", which describes how devices like Apple AirTags work and ways to abuse them, in an accessible way.