Sysdig

Back from KubeCon Europe, and we're still thinking about Lumin Nights. ✨ An evening of great food, music, and even better conversations with some of the sharpest minds in cloud-native security. This was exactly the kind of night that reminds us why this community is so special. We're still riding the high from this one. Thank you TrueFullstaq for the partnership! #KubeConEU

Podcast 🤝 runtime security 🤝 our CISO Sergej Epp Yeahhhh … we’re totally into this! Big thanks to Cloud Security Podcast for having him on!

Attacks are moving faster than most teams can respond. As disclosure-to-exploitation windows collapse, supply chains weaken, and AI introduces new blind spots, risk is accelerating fast. On April 9, join Sysdig Threat Research expert Crystal Morin and CISO in Residence Conor Sherman for a live breakdown of what’s actually impacting risk right now: → How fast attackers are operationalizing new vulnerabilities → What recent supply chain attacks reveal about “trusted” tools → Where AI is quietly expanding your attack surface Security dominated the headlines in March. Come get the context behind the news and what to do next. Bring your questions. Leave with answers you can act on.

🚨 No PoC. No CVE. STILL exploited in under 10 hours. 🚨 A critical flaw in the marimo OSS Python notebook platform was disclosed on April 8. Less than 10 hours later, an attacker was already stealing credentials. 👀 What the Sysdig Threat Research Team observed: ➝ Unauthenticated RCE via a single WebSocket endpoint (/terminal/ws) ➝ Direct interactive shell access, no payload crafting needed ➝ Exploit built purely from advisory details ➝ First exploitation attempt observed within 9h 41m of advisory publication ⏱️ How the attack happened: ➝ Initial connection to validate access (scripted PoC markers) ➝ Rapid shift to hands-on keyboard exploration ➝ Immediate targeting of sensitive files (.env) ➝ Credential exfiltration within 3 minutes ➝ Follow-up session to revalidate and recheck access 💥 Why this matters: ➝ Attackers are watching advisories beyond just the high-profile targets ➝ Advisory transparency = attacker acceleration ➝ No CVE ≠ No risk ➝ Interactive access drastically speeds up post-exploitation 🛡️ What to do: ➝ Upgrade marimo to ≥ 0.23.0 immediately ➝ Rotate any credentials stored in .env or environment variables ➝ Do not expose notebook platforms directly to the internet without an authentication layer ➝ Restrict or disable terminal WebSocket access ➝ Monitor for unexpected connections to /terminal/ws 🎯 The takeaway: We’re watching exploitation timelines collapse in real time. This mirrors recent cases (like Langflow) but more than 2x faster. Attackers aren’t waiting for PoCs anymore. They’re reading advisories and building exploits on the fly. Full breakdown >>> https://okt.to/WdRzxp #ThreatResearch

It’s not just about new threats — it’s about how fast they turn into real risk. ☁️ In some cases, the gap between disclosure and exploitation is measured in hours, not days. 🎙️ Tomorrow at 10:00 AM CDT, @Crystal Morin and @Conor Sherman break down what’s actually changing your risk right now — from rapidly exploited vulnerabilities to supply chain attacks and emerging AI-driven exposure. This isn’t a recap of headlines. It’s a look at what they mean for security teams in practice. Save your seat: https://okt.to/iyx0Vg #ThreatResearch #LinkedInLive

📣 The Sysdig MCP server is now available in AWS Marketplace, making it easier to connect Sysdig runtime insights with AI-powered workflows through Amazon Bedrock. 📣 With the Sysdig MCP server, teams can: 🔹 Give AI agents real-time runtime security context 🔹 Accelerate investigations with natural language queries 🔹 Automate remediation workflows with human oversight 🔹 Bring security insights directly into CI/CD pipelines By connecting AI agents with real-time security data, teams can move beyond dashboards and start building context-aware security automation. Read the article: https://lnkd.in/gS3tbERw #AISecurity

Seeing risk isn’t the same as stopping it. 👀⚡ For years, cloud security has focused on visibility: misconfigurations, vulnerabilities, and exposed assets. That foundation still matters. But attackers don’t wait for the next scan. They move in minutes. This is where visibility breaks down. Without runtime context, teams can’t answer the questions that matter most: 🔹 What actually happened? 🔹 What’s at risk right now? 🔹 What action should we take next? Cloud security is shifting from visibility to action — because risk becomes real at runtime. Read the article: https://okt.to/Gmlw82 #RuntimeSecurity

March highlighted a hard truth: Exploitation is accelerating. Attack surfaces are expanding. And trusted tools are becoming entry points. Join us for our upcoming LinkedIn Live as Crystal Morin and Conor Sherman break down the biggest security stories from the month — from breached agents and AI-powered attacks to high-impact vulnerabilities and real-world exploitation. We’ll cover: 🔹 The AI issues that dominated March 🔹 The vulnerabilities and attack activity security teams can’t ignore 🔹 What these trends mean for defenders right now 📅 April 9, 2026 🕙 10:00 a.m. CDT Save your spot: https://okt.to/IEVvXN #CloudSecurity #AI #ThreatResearch #LinkedInLive

What a week at KubeCon Europe! We felt a shift in how teams are thinking about cloud security. ☁️ This year’s conversations pointed to 3 big changes: 🔹 Kubernetes is becoming a distributed OS for AI 🔹 Teams are actively prioritizing runtime security 🔹 Preventive controls alone aren’t enough to stop modern threats From AI-driven risk to workload visibility, security teams are looking for ways to see what’s happening in real time and respond faster. Check out our highlights from KubeCon! 🎥⚡ #KubeCon

EtherRAT marked a shift from opportunistic exploitation to long-term, stealthy access. This implant goes far beyond cryptomining and credential theft — designed to stay hidden, maintain access, and blend into normal activity. The result: a resilient, hard-to-detect implant built for sustained access 📈 — not quick wins. In this session, Crystal Morin and Michael Clark from the Sysdig Threat Research Team discuss how EtherRAT works, what makes its tradecraft unique, and what defenders need to watch for — from blockchain-based C2 resolution to fileless-style execution and aggressive persistence. 🎥 Watch the on-demand webinar to see how it operates and how to detect it in your environment: https://okt.to/B89i1f #CloudSecurity #ThreatResearch