Welcome to my homepage!
I'm currently working as a staff cloud security researcher & advocate at Datadog. Below you'll find posts and software I've written.
Feel free to reach out!
- Email: christophe@tafani-dereeper.me
- Bluesky: @christophetd.fr
- Mastodon: [email protected]
- LinkedIn: christophetafanidereeper
Latest posts
Latest posts from my blog where I write about things I like, use, dislike and misuse.
- The New PKCE Authentication in AWS SSO Brings Hope (Mostly)
- Stop worrying about Kubernetes' allowPrivilegeEscalation
- IMDSv2 enforcement: coming to a region near you!
- MitM at the Edge: Abusing Cloudflare Workers
- Introducing Stratus Red Team, an Adversary Emulation Tool for the Cloud
- Implementing a Vulnerable AWS DevOps Environment as a CloudGoat Scenario
- Cloud Security Breaches and Vulnerabilities: 2021 in Review
- Phishing for AWS credentials via AWS SSO device code authentication
Company posts
Posts written with current or past employers.
- Compromised axios npm package delivers cross-platform RAT
- LiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP supply chain campaign
- Catching malicious contributions in Datadog's open source repos
- Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users
- The Shai-Hulud 2.0 npm worm: analysis, and what you need to know
- Malicious PyPI packages targeting highly specific MacOS machines
- The XZ Utils backdoor (CVE-2024-3094)
- An analysis of a TeamTNT doppelgänger
- Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining
- Deep dive into the new Amazon EKS Cluster Access Management features
- Deep dive into the new Amazon EKS Pod Identity feature
- Following attackers' (Cloud)trail in AWS: Methodology and findings in the wild
- Exploring GitHub-to-AWS keyless authentication flaws
- Attacking and securing cloud identities in managed Kubernetes part 1: Amazon EKS
- The OverlayFS vulnerability CVE-2023-0386: Overview, detection, and remediation
- Partially bypassing the AWS Console authentication rate limiting
- A retrospective on public cloud breaches of 2022
- Investigating a backdoored PyPi package targeting FastAPI applications
- Finding malicious PyPI packages through static code analysis: Meet GuardDog
- The OpenSSL punycode vulnerability (CVE-2022-3602), detailed write-up
- State of AWS Security in 2022: a look into 600+ real-world AWS environments
Software
Stratus Red Team
Granular, Actionable Adversary Emulation for the Cloud
MKAT
Identify common security issues in managed Kubernetes environments.
Grimoire
Generate datasets of cloud audit logs for common attacks.
GuardDog
Identify malicious PyPI and npm packages
CloudFlair
Find origin servers of websites behind CloudFlare using Internet-wide scan data from Censys
Adaz
Automate the provisioning of Active Directory labs in Azure
log4shell-vulnerable-app
Vulnerable Spring Boot application for easy reproduction of the Log4shell vulnerability
Threatest
Go framework for end to end testing threat detection rules
censys-subdomain-finder
Subdomain enumeration using the certificate transparency logs from Censys
hunting-mindmaps
Mindmaps for threat hunting using memory captures and Windows event logs
Talks
- From AiTM Phishing to Self-Replicating Worms: Inside the 2025 npm Attacks (Insomni'Hack 2026)
- From AiTM Phishing to Self-Replicating Worms: Inside the 2025 npm Attacks (JSSI 2026) 🇫🇷
- Investigating a Threat Actor Targeting Security Researchers and Academics (DEF CON 2025 - slides)
- Code to Cloud: Exploiting Modern Web Applications to Breach Cloud Environments (Insomni'Hack 2025)
- Catch them all! Detection engineering and purple teaming in the cloud (DEF CON Cloud Village 2024)
- PIVOT! Bouncing between your app, your cluster and your cloud (Kubernetes Community Days Zürich 2024)
- Abusing misconfigured OIDC authentication in cloud environments (Insomni'Hack and BSides LV 2024)
- Keep Hackers Out of Your Cluster with These 5 Simple Tricks (KubeCon EU 2024)
- A journey through attack vectors in managed Kubernetes services (SANS CloudSecNext 2023 - slides)
- Mind The Gap! Bringing Together Cloud Services and Managed K8s Environments (KubeCon EU 2023)
- Finding Malicious PyPI Packages in the Wild (Insomni'Hack 2023)
- Purple Teaming & Adversary Emulation in the Cloud (DEF CON Cloud Village 2022)
- Purple Teaming the Cloud with Stratus Red Team (Cloud-Native SecurityCon 2022)
- Fantastic AWS Hacks and Where to Find Them (SANS New2Cyber 2022)
- Scanning Infrastructure-as-Code for security flaws (OWASP DevSlop)
- Can't Take My Lab off You — Automating the Provisioning of Active Directory Labs in Azure (vOPCDE #7)
- Adaz presentation (Forensic Lunch October 23rd, 2020)
- Switzerland has bunkers, we have Vault (BlackAlps 2018)
- How hackers exploit weak SSH credentials to build DDoS botnets (Blackalps 2017, Grehack 2017)
Podcasts
- Shai-Hulud 2.0: an NPM supply chain attack (French only, NoLimitSecu podcast)
- Software Supply Chain Security (French only, NoLimitSecu podcast)
- Escaping from Managed Kubernetes Clusters (Cloud Security Podcast)
- Scanning Infrastructure-as-Code For Security Issues (Day Two Cloud episode 125)
- What is cloud security? (French only, NoLimitSecu podcast)
- Infrastructure-as-Code Security (French only, NoLimitSecu podcast)
- Service Meshes and their Security Implications (French only, NoLimitSecu podcast)
Books
Books I've particularly enjoyed.
Security:
- Hacking, the Art of Exploitation
- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
- Violent Python
DevOps / Engineering:
Find me on the web