https://securitylabs.datadoghq.com/rss/feed.xml https://securitylabs.datadoghq.com Datadog Security Labs is the place to read blog content about security research and tooling published by Datadog for the community. 2026-04-16T00:00:00Z https://securitylabs.datadoghq.com/articles/dependency-cooldowns/ 2026-04-16T00:00:00Z Understanding npm and the importance of dependency cooldowns. https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8562/ 2026-04-09T00:00:00Z A look at how Kubernetes CVE-2020-8562 allows attackers to bypass API server proxy protections using DNS rebinding https://securitylabs.datadoghq.com/articles/axios-npm-supply-chain-compromise/ 2026-03-31T00:00:00Z An attacker hijacked an axios maintainer's npm account to publish malicious releases that deliver a cross-platform RAT. https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8561/ 2026-03-27T00:00:00Z A look at how Kubernetes CVE-2020-8561 works https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ 2026-03-24T00:00:00Z On March 24 and 27, 2026, malicious PyPI releases of LiteLLM and Telnyx were published as part of the TeamPCP supply chain campaign. We trace the full campaign from Trivy through npm, Checkmarx, and into PyPI. https://securitylabs.datadoghq.com/articles/copilot-studio-logging-gaps/ 2026-03-10T00:00:00Z During research, we sometimes encounter scenarios that remind us that it's a good idea to trust but verify. In September 2025, we noticed that certain Microsoft Copilot Studio agent settings did not log certain administrative actions related to sharing, authentication, logging, and publication of Copilot Studio agents. https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-campaign/ 2026-03-09T00:00:00Z Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure. https://securitylabs.datadoghq.com/articles/hook-line-vault-a-deep-dive-into-1phish/ 2026-02-27T00:00:00Z We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users. https://securitylabs.datadoghq.com/articles/kubernetes-ingress-nginx-retirement-warning/ 2026-02-19T00:00:00Z The Kubernetes project is urging organizations to migrate away from Ingress NGINX before its retirement in March 2026, with new high-severity CVEs underscoring the urgency. https://securitylabs.datadoghq.com/articles/tech-impersonators-clickfix-and-macos-infostealers/ 2026-02-10T00:00:00Z Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers. https://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-configuration-malicious/ 2026-02-04T00:00:00Z Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations. https://securitylabs.datadoghq.com/articles/openssl-january-2026-security-update-cms-and-pkcs12-buffer-overflows/ 2026-01-27T00:00:00Z A deep dive into OpenSSL’s January 2026 CMS and PKCS#12 vulnerabilities, including a pre-auth stack overflow and a PKCS#12 parsing bug. https://securitylabs.datadoghq.com/articles/ide-shepherd-release-article/ 2026-01-26T00:00:00Z IDE-SHEPHERD is an open-source IDE security extension that provides real-time monitoring and protection for VS Code and Cursor. It intercepts malicious process executions, monitors network activity, and blocks dangerous workspace tasks before they can compromise your development environment. https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8554/ 2026-01-14T00:00:00Z A look at how Kubernetes CVE-2020-8554 works https://securitylabs.datadoghq.com/articles/decoding-the-recommendations-for-npm-maintainers/ 2026-01-07T00:00:00Z This blog post explores the rationale and implementation behind GitHub's security recommendations for npm maintainers following numerous high-profile supply-chain incidents. It details how hardening publishing infrastructure through trusted publishing, enforced two-factor authentication, and WebAuthn-based protocols can meaningfully increase the resilience of the ecosystem. https://securitylabs.datadoghq.com/articles/introducing-pathfinding.cloud/ 2025-12-17T00:00:00Z Introducing Pathfinding.cloud, a library of AWS IAM privilege escalation paths https://securitylabs.datadoghq.com/articles/investigating-an-aitm-phishing-campaign-m365-okta/ 2025-12-10T00:00:00Z In this post, we investigate a recent phishing campaign that targets Microsoft 365 users. https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/ 2025-12-04T00:00:00Z Learn more about the CVE-2025-55182 vulnerability affecting React Server Components and affecting Next.js. https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/ 2025-11-25T00:00:00Z Learn more about the Shai-Hulud 2.0 npm worm. https://securitylabs.datadoghq.com/articles/why-datadog-is-a-cloud-security-leader/ 2025-11-20T00:00:00Z A recap of Datadog's awards from the 2025 Latio Cloud Security Market Report https://securitylabs.datadoghq.com/articles/a-2025-look-at-real-world-kubernetes-adoption/ 2025-11-10T00:00:00Z A 2025 look at real-world Kubernetes version adoption https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/ 2025-11-06T00:00:00Z Analysis of a threat actor campaign targeting Windows users with Vidar infostealer malware via malicious npm packages https://securitylabs.datadoghq.com/articles/supply-chain-attacks-runtime-security-detection/ 2025-11-05T00:00:00Z Detecting software supply chain attacks through runtime security. https://securitylabs.datadoghq.com/articles/2025-q3-threat-roundup/ 2025-10-31T00:00:00Z Threat insights from Datadog Security Labs for Q3 2025. https://securitylabs.datadoghq.com/articles/learnings-from-recent-npm-compromises/ 2025-10-30T00:00:00Z A look at recent npm supply chain compromises and how we can learn from them to better prepare for future incidents. https://securitylabs.datadoghq.com/articles/cophish-using-microsoft-copilot-studio-as-a-wrapper/ 2025-10-20T00:00:00Z Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by which a Copilot Studio agent's login settings can redirect a user to any URL, including an OAuth consent attack. https://securitylabs.datadoghq.com/articles/claude-mcp-cve-2025-52882/ 2025-08-26T00:00:00Z A critical vulnerability in older versions of the Claude Code for Visual Studio Code (VS Code) and other IDE extensions allowed malicious websites to connect to unauthenticated local WebSocket servers, potentially enabling remote command execution https://securitylabs.datadoghq.com/articles/mcp-vulnerability-case-study-SQL-injection-in-the-postgresql-mcp-server/ 2025-08-21T00:00:00Z Learn how vulnerability in Anthropic's reference Postgres MCP server allowed us to bypass the read-only restriction and execute arbitrary SQL statements. https://securitylabs.datadoghq.com/articles/enumerating-aws-the-quiet-way-cloudtrail-free-discovery-with-resource-explorer/ 2025-08-19T00:00:00Z Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap. https://securitylabs.datadoghq.com/articles/2025-q2-threat-roundup/ 2025-08-14T00:00:00Z Threat insights from Datadog Security Labs for Q2 2025.