https://securitylabs.datadoghq.com/rss/feed.xml https://securitylabs.datadoghq.com Datadog Security Labs is the place to read blog content about security research and tooling published by Datadog for the community. 2026-06-02T00:00:00Z https://securitylabs.datadoghq.com/articles/case-for-github-actions-security/ 2026-06-02T00:00:00Z GitHub Actions workflows are vulnerable to pwn requests, script injection, and compromised credentials. Here's what's going wrong and what's changing. https://securitylabs.datadoghq.com/articles/cve-2026-31431-copy-fail-exploit-detection-with-agents/ 2026-05-28T00:00:00Z CVE-2026-31431 (Copy Fail) lets any unprivileged user corrupt the Linux page cache via AF_ALG sockets to escalate privileges. This post covers the exploit mechanics and how Datadog Security Research used coding agents to ship a detection content pack in a single session. https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2021-25740/ 2026-05-21T00:00:00Z A look at how Kubernetes CVE-2021-25740 allows users with EndpointSlice access to redirect traffic via shared ingress and load balancer services. https://securitylabs.datadoghq.com/articles/introducing-pathfinding-labs/ 2026-05-18T00:00:00Z Introducing Pathfinding Labs, a collection of intentionally vulnerable AWS environments for red teamers and blue teamers to deploy, exploit, and use for detection validation. https://securitylabs.datadoghq.com/articles/node-ipc-npm-malware-analysis/ 2026-05-14T00:00:00Z An analysis of backdoored node-ipc npm releases that add an obfuscated credential collection and DNS exfiltration payload to the CommonJS entrypoint. https://securitylabs.datadoghq.com/articles/backdoored-cemu-release-teampcp-supply-chain-campaign/ 2026-05-14T00:00:00Z We investigate how a coordinated supply chain campaign that compromised npm and PyPI packages also backdoored the official Cemu Nintendo Wii U emulator GitHub release, reaching nearly 20,000 Linux users. https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/ 2026-05-13T00:00:00Z A static analysis of the open-sourced Shai-Hulud offensive framework attributed to TeamPCP, covering its credential harvesting, supply chain poisoning, and exfiltration capabilities. https://securitylabs.datadoghq.com/articles/malicious-skills-supply-chain-risks-in-coding-agents-with-dynamic-context/ 2026-05-11T00:00:00Z Learn how malicious Claude Code skills can abuse dynamic context commands to execute before model-level prompt injection defenses can intervene. https://securitylabs.datadoghq.com/articles/kubernetes-security-fundamentals-part-8/ 2026-05-08T00:00:00Z A look at how to secure Kubernetes secrets https://securitylabs.datadoghq.com/articles/dependency-cooldowns/ 2026-04-16T00:00:00Z Understanding npm and the importance of dependency cooldowns. https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8562/ 2026-04-09T00:00:00Z A look at how Kubernetes CVE-2020-8562 allows attackers to bypass API server proxy protections using DNS rebinding https://securitylabs.datadoghq.com/articles/axios-npm-supply-chain-compromise/ 2026-03-31T00:00:00Z An attacker hijacked an axios maintainer's npm account to publish malicious releases that deliver a cross-platform RAT. https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8561/ 2026-03-27T00:00:00Z A look at how Kubernetes CVE-2020-8561 works https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ 2026-03-24T00:00:00Z On March 24 and 27, 2026, malicious PyPI releases of LiteLLM and Telnyx were published as part of the TeamPCP supply chain campaign. We trace the full campaign from Trivy through npm, Checkmarx, and into PyPI. https://securitylabs.datadoghq.com/articles/copilot-studio-logging-gaps/ 2026-03-10T00:00:00Z During research, we sometimes encounter scenarios that remind us that it's a good idea to trust but verify. In September 2025, we noticed that certain Microsoft Copilot Studio agent settings did not log certain administrative actions related to sharing, authentication, logging, and publication of Copilot Studio agents. https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-campaign/ 2026-03-09T00:00:00Z Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure. https://securitylabs.datadoghq.com/articles/hook-line-vault-a-deep-dive-into-1phish/ 2026-02-27T00:00:00Z We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users. https://securitylabs.datadoghq.com/articles/kubernetes-ingress-nginx-retirement-warning/ 2026-02-19T00:00:00Z The Kubernetes project is urging organizations to migrate away from Ingress NGINX before its retirement in March 2026, with new high-severity CVEs underscoring the urgency. https://securitylabs.datadoghq.com/articles/tech-impersonators-clickfix-and-macos-infostealers/ 2026-02-10T00:00:00Z Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers. https://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-configuration-malicious/ 2026-02-04T00:00:00Z Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations. https://securitylabs.datadoghq.com/articles/openssl-january-2026-security-update-cms-and-pkcs12-buffer-overflows/ 2026-01-27T00:00:00Z A deep dive into OpenSSL’s January 2026 CMS and PKCS#12 vulnerabilities, including a pre-auth stack overflow and a PKCS#12 parsing bug. https://securitylabs.datadoghq.com/articles/ide-shepherd-release-article/ 2026-01-26T00:00:00Z IDE-SHEPHERD is an open-source IDE security extension that provides real-time monitoring and protection for VS Code and Cursor. It intercepts malicious process executions, monitors network activity, and blocks dangerous workspace tasks before they can compromise your development environment. https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8554/ 2026-01-14T00:00:00Z A look at how Kubernetes CVE-2020-8554 works https://securitylabs.datadoghq.com/articles/decoding-the-recommendations-for-npm-maintainers/ 2026-01-07T00:00:00Z This blog post explores the rationale and implementation behind GitHub's security recommendations for npm maintainers following numerous high-profile supply-chain incidents. It details how hardening publishing infrastructure through trusted publishing, enforced two-factor authentication, and WebAuthn-based protocols can meaningfully increase the resilience of the ecosystem. https://securitylabs.datadoghq.com/articles/introducing-pathfinding.cloud/ 2025-12-17T00:00:00Z Introducing Pathfinding.cloud, a library of AWS IAM privilege escalation paths https://securitylabs.datadoghq.com/articles/investigating-an-aitm-phishing-campaign-m365-okta/ 2025-12-10T00:00:00Z In this post, we investigate a recent phishing campaign that targets Microsoft 365 users. https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/ 2025-12-04T00:00:00Z Learn more about the CVE-2025-55182 vulnerability affecting React Server Components and affecting Next.js. https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/ 2025-11-25T00:00:00Z Learn more about the Shai-Hulud 2.0 npm worm. https://securitylabs.datadoghq.com/articles/why-datadog-is-a-cloud-security-leader/ 2025-11-20T00:00:00Z A recap of Datadog's awards from the 2025 Latio Cloud Security Market Report https://securitylabs.datadoghq.com/articles/a-2025-look-at-real-world-kubernetes-adoption/ 2025-11-10T00:00:00Z A 2025 look at real-world Kubernetes version adoption