Sysdig Threat Research

Discovering the latest attacks and providing defensive measures to keep organizations safe

Detecting and mitigating CVE-2024-12084: rsync remote code execution

The Sysdig Threat Research Team (TRT) has discovered CVE-2025-32955, a now-patched vulnerability in Harden-Runner, one of the most popular GitHub Action CI/CD security tools. Exploiting this vulnerability allows an attacker to bypass Harden-Runner’s disable-sudo security mechanism, effectively evading detection within the continuous integration/continuous delivery (CI/CD) pipeline under certain conditions. To mitigate this risk, users are strongly advised to update to the latest version.

Read more

tj-actions/changed-files with Falco Actions

A compromise (CVE-2025-30066) was discovered in the popular GitHub Action tj-actions/changed-files on March 14, 2025. It impacted tens of thousands of repositories that use this action to track file changes. This blog will explain how Falco Actions can easily be integrated into your workflows to help detect this CI/CD attack and provide in-depth visibility.

Read more

Detecting and Mitigating IngressNightmare – CVE-2025-1974

On Monday, March 24, 2025, a set of critical vulnerabilities affecting the admission controller component of the Ingress NGINX Controller for Kubernetes was announced. In total, five vulnerabilities were announced; the most severe vulnerability, CVE-2025-1974 (CVS 9.8), may result in remote code execution (RCE). Exploitation of this vulnerability can be detected with Sysdig Secure or the Falco rule provided in this article.

Read more

The 2025 Cloud-Native Security and Usage Report

Discover key insights and trends in real-world cloud security and usage — and see how enterprises are advancing their defenses.

Get the report
Latest threats
Threat Research

EMERALDWHALE:  15k Cloud credentials stolen in operation targeting exposed Git config files

Miguel Hernández
|
7.16.2025
Cloud Security
Threat Research

CRYSTALRAY: Inside the Operations of a Rising Threat Actor Exploiting OSS Tools

Miguel Hernández
|
7.16.2025
Cloud Security
Threat Research

LLMjacking: Stolen Cloud Credentials Used in New AI Attack

Alessandro Brucato
|
7.16.2025

Latest blogs

Cloud Security
Threat Research

A smarter, safer cloud in the age of AI

Crystal Morin
|
7.25.2025
Cloud Security
Kubernetes & Container Security
Sysdig Features
Threat Research

Analysis on Docker Hub malicious images: Attacks through public container images

Stefano Chierici
|
7.21.2025
Threat Research

Bedrock Slip: Sysdig TRT Discovers CloudTrail Logging Missteps

Alessandro Brucato
|
7.21.2025
rules feed

Rules feed

last updated 01.01.26

Name

Severity

Framework 1

Framework 2

Link

Long name for up to ten words “vulnerability management” test

Critical

Example text that can

Example text

GitHub

Led by the industry’s most elite threat researchers

15+
Novel threats discovered*
*since 2022
500+
Detection rules created
75+
Reports
published
library

Browse all resources

cloud security
threat research
Report

2024 Global Cloud
Threat Report

cloud security
threat research
2024 Global Cloud Threat Report
Report

2023 Global Cloud
Threat Report

cloud security
threat research
2023 Global Cloud Threat Report
Report

2025 Cloud-Native Security and Usage Report

cloud security
threat research
2025 Cloud-Native Security and Usage Report
Report

2024 Cloud-Native Security and Usage Report

cloud security
threat research
2024 Cloud-Native Security and Usage Report

About the team

The Sysdig Threat Research Team (TRT) are highly skilled security experts dispersed across the globe, with experience in governmental, commercial, and academic arenas. Their expertise includes offensive and defensive security operations, computer network operations, malware analysis, and beyond.

The team is well-known for introducing the 10-minute timeframe for cloud attacks, setting the 555 Benchmark for Cloud Threat Detection and Response, and uncovering novel threats like SCARLETEEL.

Like what you see?