npm supply chain attacks, Amazon Bedrock security, and MCP vulnerabilities
Welcome to the September 2025 edition of the Datadog Security Digest!
This edition covers three major supply chain attacks targeting npm, two MCP security vulnerabilities, and multiple posts related to the Amazon Bedrock service. We hope you enjoy catching up on the latest in cloud security!
This newsletter was created by a real person, not a machine. Your curator of the month is Seth Art.
Shai-Hulud attack compromises more than500 npm packages
On September 14, a third attack against the npm ecosystem in as many weeks was launched. Unlike the two previous attacks (detailed in the application security section of this digest) that targeted individual high-profile users and the npm packages they managed, this attack was self-replicating and spread to more than 500 packages before GitHub took action to disrupt it. The Cybersecurity and Infrastructure Security Agency (CISA) published an alert that summarizes the attack and provides links to additional research.
Cloud security
Sandboxed to Compromised: New Research Exposes Credential Exfiltration Paths in AWS Code Interpreters
Back in July, Nigel Sood shared research on a new IAM-based privilege escalation path in the bedrock-agentcore service. This month, he followed up his research with a post that shows how you can exploit the escalation path if it exists, and the conditions that make exploitation possible.
A new type of long-lived key on AWS: Bedrock API keys
AWS has created a new type of long-lived access key for Amazon Bedrock. This key is tied to an IAM user but is scoped specifically to the Bedrock service. In this post, Scott Piper gives an excellent breakdown of what the key is, how it works, and what the security implications are. He also shares how you can use a short-lived access key instead of these new long-lived keys with the Bedrock service.
Illicit Consent-Granting & App Backdooring – Obtaining persistence in Entra
The team at SlashID shared what can happen when an Entra ID identity that has the OAuth2PermissionGrant.ReadWrite.All permission is compromised. If attackers gain access to this powerful permission, they can escalate their privileges and gain full control of the tenant.
AI security
Weaponizing image scaling against production AI systems
What if there was a tool that could create images containing hidden prompts that would be executed by systems, yet invisible to a normal user? Well, Kikimora Morozova and Suha Sabi Hussain from Trail of Bits released Anamorpher, an open source tool that can do just that. In their post, they show how the images created by this tool can be used to exploit Gemini CLI, Vertex AI Studio, and other AI systems. They also present mitigation strategies for such attacks.
MCP vulnerability case study: SQL injection in the Postgres MCP server
Datadog’s Santiago M. Mola found a SQL injection vulnerability in Anthropic's reference Postgres MCP server that allowed users to bypass a read-only restriction built into the MCP server. It's a great example of how MCP servers can be vulnerable to traditional AppSec flaws, just like any other software! He even published a PoC that you can spin up with a simple git clone and Docker Compose, so you can try your hand at exploiting the vulnerability.
CVE-2025-54136 – MCPoison Cursor IDE: Persistent Code Execution via MCP Trust Bypass
Checkpoint’s Andrey Charikov, Roman Zaikin, and Oded Vanunu shared a vulnerability that they discovered in the Cursor IDE. They were curious if an attacker could create a benign Cursor rules file, wait for a user to approve it, update the file with a malicious command, and exploit the user without any additional user verification. They created a demo that proved that the attack was possible, and they named the vulnerability MCPoison.
Application security
Multiple popular npm packages compromised
On September 8, threat actors initiated a supply chain attack that targeted users of npm. The maintainer of multiple very popular npm packages had his credentials compromised via phishing, and the attackers uploaded 18 malicious versions of the packages shortly after. The payload is a browser-based interceptor that targets end users of the npm packages that use cryptocurrency. The malware intercepts cryptocurrency transactions and replaces the intended destination wallet with the attacker’s wallet.
Malicious versions of Nx and some supporting plugins were published
On August 26, malicious versions of Nx and some supporting plugins were published to npm. The attack targeted and exfiltrated secrets that were stored on users’ file systems. Interestingly, the attackers chose to exfiltrate these secrets by creating a public GitHub repository with a common name pattern in each victim’s GitHub account. Luckily, this made the process of identifying and notifying victims a manageable task. In addition to the GitHub security advisory linked below, the Nx team published a postmortem on September 5.
Finding vulnerabilities in modern web apps using Claude Code and OpenAI Codex
A team at Semgrep evaluated the efficacy of AI coding agents at finding vulnerabilities in code. Their results showed that AI coding agents can find real vulnerabilities in real applications. There were plenty of false positives, as expected, but there also were some really interesting findings. For example, the non-deterministic nature of LLMs meant that the same agent found different instances of vulnerabilities each time it ran. This inconsistency presents important considerations for anyone who wants to use these tools in automated pipelines.
Community events and talks
Join us for Datadog Detect on October 30
Datadog Detect is a free virtual mini-conference where security researchers and detection engineers from Red Canary, Corelight, and Datadog will share their insights on reducing alert noise and building scalable, detection-driven defense in the cloud.
Check out the recordings from fwd:cloudsec Europe 2025
The second-annual fwd:cloudsec Europe conference happened on September 15–16 in Berlin. Datadog’s Nick Frichette delivered “Sweet Deception: Mastering AWS Honey Tokens to Detect and Outsmart Attackers,” one of many outstanding talks at the conference.
Datadog presenters to speak at DevOpsDays Philadelphia
Today, Datadog’s Kennedy Toomey and Max Saltonstall will give a talk at DevOpsDays Philadelphia. In Finding what’s important: Actionable, Automated and Accurate Alerting, they will discuss ways to improve the automation of parsing and filtering alerts, and how to create intelligent systems that can suggest, or even take, action for you when alerts come in.