Trust Center

We are aware of the recently disclosed malicious axios npm packages (including versions 1.14.1 and 0.30.4), and have completed a security investigation of the potential impact to Datadog. Our exposure was limited to a small number of isolated development environments and CI/CD test runners.

We have contained the affected systems, and out of caution, we rotated all potentially exposed keys and secrets. We have identified no impact to customer environments or customer data.

How do I know if I was affected?
If you used any of the following Datadog open-source packages during the compromise window (2026-03-30 23:59 UTC – 2026-03-31 03:25 UTC), you may have inadvertently installed a malicious version of axios.

Installed via npm during the compromise window
datadog-ci
datadog-ci-base
datadog-ci-plugin-coverage
datadog-ci-plugin-deployment
datadog-ci-plugin-dora
datadog-ci-plugin-gate
datadog-ci-plugin-junit
datadog-ci-plugin-sarif
datadog-ci-plugin-sbom
datadog-ci-plugin-synthetics
datadog-ci-plugin-terraform
serverless-plugin-datadog

GitHub Action was run during the compromise window
junit-upload-github-action
datadog-sca-github-action
deployment-gate-github-action
datadog-static-analyzer-github-action

Built and installed from source during the compromise window. Published releases were not affected.
synthetics-ci-github-action
upload-dsyms-github-action
dd-trace-js
datadog-lambda-js

For a detailed breakdown of the campaign and a step-by-step investigative guide, refer to our Security Labs post.

We’re pleased to announce that Datadog has achieved ISO 42001 certification, the international standard for responsible development and use of AI management systems (AIMS).

For details on what this means for your organization and our ongoing commitment to trust and accountability, please see our blog post.

We are aware of the recently disclosed malicious LiteLLM PyPI packages (versions 1.82.7 and 1.82.8) and have investigated Datadog’s potential exposure. We are also following closely the activity of this threat actor group and its potential impact on the supply chain of Datadog software.

Our exposure was limited to a build pipeline for a single internal project. We have contained the affected systems, and determined that the malicious activity was interrupted before any data exfiltration occurred. We have identified no impact to customer environments or customer data.

For clarity, while Datadog offers a LiteLLM monitoring integration package as part of the Datadog Agent integrations, the Datadog Agent does not bundle the compromised LiteLLM PyPI package as a dependency. The Datadog Agent and this integration are therefore not affected by this issue.

In response to CVE-2026-33728, an unsafe deserialization vulnerability (CVSS 9.3) in dd-trace-java's RMI instrumentation that could allow remote code execution (RCE), Datadog has released a patched version, v1.60.3. This vulnerability affects com.datadoghq:dd-java-agent versions >= 0.40.0 and <= 1.60.2. The Datadog platform is not affected, and customer exposure depends on their network configuration and whether the conditions for exploitation are met. We have not found any signs of exploitation or known indicators of compromise.

Customers are encouraged to upgrade to v1.60.3 or later at their earliest opportunity.

Please refer to the advisory for details, conditions required for exploitability, and available mitigations.

In response to the supply-chain attack disclosed on March 19, 2026 targeting Trivy v0.69.4, which involved a malicious binary and poisoned GitHub Actions releases, Datadog Security conducted an investigation and confirmed that we are not impacted. However, we suggest customers refer to our Research Feed for guidance to assess potential exposure and take the suggested mitigations.