Sysdig

Posture gives you a strong starting point. ☁️ Runtime shows you what’s actually at risk. In fast-moving cloud environments, you need both, but only one tells you what’s happening in real time. Your Blueprint to Runtime Security, the Right Way breaks down the 3️⃣ pillars of modern cloud defense: 1. Full-stack visibility, from kernel to cloud 2. Resilience built for scale 3. Actionable detection and response Together, they turn insight into action. 🔗 https://okt.to/HwcG2y #RuntimeSecurity

📣 It’s heeere! The Sysdig 2026 Cloud-Native Security and Usage Report just dropped. 🔥 And one of the biggest takeaways? The human-only era of security is over. Not because people aren’t good at security, but because the cloud has gotten way too fast. For years, the security playbook has been: add more tools, add more dashboards, add more processes. 🙃 That’s not how you win anymore. The data shows: → Security is moving to machine speed. The best teams are automating detection and response instead of adding headcount. → AI is already in your cloud. AI and ML packages are becoming part of the default stack. → Runtime is where the signal is. 70%+ of orgs are already there and automation is accelerating. → Identity is exploding. Humans are a small slice and still one of the weakest links. The teams pulling ahead aren't doing more. They are building systems that can keep up. ↳ Dig into the data from the Sysdig Threat Research Team >>>: https://okt.to/XAEikm

🚨 CVE-2026-39987 progressed from advisory to exploitation in under 10 hours, and then from exploitation to malware deployment within days. 🚨 The marimo RCE is now being used to deliver a previously undocumented NKAbuse variant via HuggingFace Spaces. 👀 What the Sysdig Threat Research Team observed: ➝ 662 exploit events from April 11–14 across 10 countries ➝ Credential harvesting from environment variables and .env files ➝ Multiple reverse shell attempts across ports and techniques ➝ Lateral movement into PostgreSQL and Redis using leaked credentials ➝ NKAbuse malware deployed via a typosquatted HuggingFace Space ⏱️ How the attack happened: ➝ RCE used to gain shell access ➝ Credential extraction from environment variables and .env files ➝ Reverse shell attempts followed by pivot to databases ➝ PostgreSQL and Redis accessed using stolen credentials ➝ Malware delivered via remote script execution 💥 Why this matters: ➝ Exploitation progressed from access to malware within days ➝ AI/ML environments are being actively targeted ➝ Trusted platforms like HuggingFace are used for payload hosting ➝ A single compromised service can expose broader infrastructure 🛡️ What to do: ➝ Upgrade marimo to ≥ 0.23.0 ➝ Rotate exposed credentials ➝ Hunt for ~/.kagent/ and persistence artifacts ➝ Monitor for reverse shells and credential access 🎯 Takeaway: A single exposed AI/ML service can quickly lead to credential theft, lateral movement, and malware deployment, making behavioral detection and credential hygiene critical. ↳ https://okt.to/4UtxzY

AI can help cloud security teams move faster, but only if it helps them understand what matters and what to do next. 🚀 Our latest article breaks down how teams can use AI to manage cloud security threats by: 🔹 Summarizing threats in plain language 🔹 Connecting related events into incident-level context 🔹 Showing who and what is impacted 🔹 Guiding response with actionable next steps Because faster threat management starts with better context, not more alerts. Read the article: https://okt.to/Qa3gfY #AISecurity #CloudSecurity

We’ve officially hit the limits of human-scaled security. What comes next moves at machine speed. 🗓️ The Sysdig 2026 Cloud-Native Security and Usage Report drops April 16.

What keeps cloud apps running at scale? ☁️ In this video, Kat Zivkovic breaks down what Kubernetes is and why it matters for modern applications. In under a minute, you’ll learn: 🔹 What Kubernetes is 🔹 How it manages containers automatically 🔹 The key building blocks, including clusters, nodes, pods, and the control plane If you’ve ever needed a simpler way to explain Kubernetes, this is a great place to start. Watch the full video 👉 https://okt.to/LWOU2D #Kubernetes

Back from KubeCon Europe, and we're still thinking about Lumin Nights. ✨ An evening of great food, music, and even better conversations with some of the sharpest minds in cloud-native security. This was exactly the kind of night that reminds us why this community is so special. We're still riding the high from this one. Thank you TrueFullstaq for the partnership! #KubeConEU

Podcast 🤝 runtime security 🤝 our CISO Sergej Epp Yeahhhh … we’re totally into this! Big thanks to Cloud Security Podcast for having him on!

Attacks are moving faster than most teams can respond. As disclosure-to-exploitation windows collapse, supply chains weaken, and AI introduces new blind spots, risk is accelerating fast. On April 9, join Sysdig Threat Research expert Crystal Morin and CISO in Residence Conor Sherman for a live breakdown of what’s actually impacting risk right now: → How fast attackers are operationalizing new vulnerabilities → What recent supply chain attacks reveal about “trusted” tools → Where AI is quietly expanding your attack surface Security dominated the headlines in March. Come get the context behind the news and what to do next. Bring your questions. Leave with answers you can act on.

🚨 No PoC. No CVE. STILL exploited in under 10 hours. 🚨 A critical flaw in the marimo OSS Python notebook platform was disclosed on April 8. Less than 10 hours later, an attacker was already stealing credentials. 👀 What the Sysdig Threat Research Team observed: ➝ Unauthenticated RCE via a single WebSocket endpoint (/terminal/ws) ➝ Direct interactive shell access, no payload crafting needed ➝ Exploit built purely from advisory details ➝ First exploitation attempt observed within 9h 41m of advisory publication ⏱️ How the attack happened: ➝ Initial connection to validate access (scripted PoC markers) ➝ Rapid shift to hands-on keyboard exploration ➝ Immediate targeting of sensitive files (.env) ➝ Credential exfiltration within 3 minutes ➝ Follow-up session to revalidate and recheck access 💥 Why this matters: ➝ Attackers are watching advisories beyond just the high-profile targets ➝ Advisory transparency = attacker acceleration ➝ No CVE ≠ No risk ➝ Interactive access drastically speeds up post-exploitation 🛡️ What to do: ➝ Upgrade marimo to ≥ 0.23.0 immediately ➝ Rotate any credentials stored in .env or environment variables ➝ Do not expose notebook platforms directly to the internet without an authentication layer ➝ Restrict or disable terminal WebSocket access ➝ Monitor for unexpected connections to /terminal/ws 🎯 The takeaway: We’re watching exploitation timelines collapse in real time. This mirrors recent cases (like Langflow) but more than 2x faster. Attackers aren’t waiting for PoCs anymore. They’re reading advisories and building exploits on the fly. Full breakdown >>> https://okt.to/WdRzxp #ThreatResearch