Step Security Blog
https://www.stepsecurity.io
Detect, prevent, and respond to software supply chain attacks. End-to-end protection for AI agents, developer machines, npm packages, and CI/CD pipelines.
フィード

StepSecurity Maintained Actions Are Now Free for Public Repos
Step Security Blog
StepSecurity Maintained Actions are now free for public repos. Secure, drop-in replacements for risky third-party GitHub Actions, reviewed and actively maintained.
3日前

10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions
Step Security Blog
TeamPCP weaponized 76 Trivy version tags overnight. The KICS attack followed the same playbook days later. One security control is not enough. Here is how the StepSecurity platform's ten independent security layers work together to prevent credential exfiltration, detect compromised actions at runtime, and respond to incidents across your entire organization before attackers can succeed.
3日前

Secure Registry now tells you which machine pulled a compromised package
Step Security Blog
Secure Registry now traces every npm and PyPI install back to the developer machine or CI pipeline behind it, so you can scope a compromised package in minutes.
4日前

Multiple @immobiliarelabs Backstage Plugins Compromised on npm
Step Security Blog
Compromised versions run a malicious payload at npm install time through a binding.gyp node-gyp hook, harvesting credentials from sources like GitHub Actions secrets, cloud provider keys, and package registry tokens, while trying to persist in AI coding assistant configs. Static analysis of version 2.1.2 against the clean 2.1.1 release revealed a new 5 MB index.js and an added binding.gyp, both absent from earlier releases.
4日前

Maven Support Comes to GitHub Checks and OSS Package Search
Step Security Blog
StepSecurity now supports Maven in GitHub Checks and OSS Package Search, blocking compromised and freshly published Java dependencies in your pull requests.
4日前

Mass npm Supply Chain Attack: 20 Leo Platform Packages Compromised
Step Security Blog
On June 24, 2026, an attacker published malicious versions of 20 npm packages belonging to the Leo Platform ecosystem in a coordinated burst spanning less than three seconds. All 20 packages carry an identical CI/CD attack toolkit that steals secrets from GitHub Actions runners, cloud credential stores, package registries, and password managers, then exfiltrates them via the victim's own GitHub token. Together these packages receive approximately 13,600 downloads per week.
4日前

simonecorsi/mawesome GitHub Action has been compromised
Step Security Blog
On June 24, 2026, an attacker compromised the simonecorsi/mawesome GitHub repository. They force-pushed malicious commits and repointed several version tags to that commit. As a result, any workflow running against those tags after that time executed the attacker's code inside its GitHub Actions runner.
4日前

codfish/semantic-release-action GitHub Action has been compromised
Step Security Blog
On June 24, 2026, an attacker compromised the codfish/semantic-release-action GitHub repository. At 15:39:06 UTC they force-pushed a malicious commit and repointed several version tags to that commit. As a result, any workflow running against those tags after that time executed the attacker's code inside its GitHub Actions runner.
4日前

15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers
Step Security Blog
A coordinated 8-month supply chain attack planted credential-stealing code inside fake AI coding assistants on the JetBrains Marketplace, quietly exfiltrating OpenAI, DeepSeek, and SiliconFlow API keys to an attacker-controlled server in Beijing -- which our investigation found still operational today.
4日前

Mastra npm Supply Chain Attack: 140+ Packages Backdoored via easy-day-js Typosquat
Step Security Blog
On June 17, 2026, an attacker compromised the @mastra npm organization and quietly added easy-day-js as a dependency across 140+ packages in the Mastra AI framework ecosystem. easy-day-js is a typosquat of the popular dayjs date library, and its latest version contained an obfuscated postinstall dropper that downloaded and ran a second-stage payload from attacker-controlled servers, then deleted itself to remove any trace. Packages with a combined weekly download count exceeding 1.1 million were exposed. If you installed any @mastra package today, treat your environment as compromised.
18日前

Prevent npm and Python Supply Chain Attacks on Developer Machines with Package Configs
Step Security Blog
npm and Python supply chain attacks run on developer machines and steal secrets. See how Package Configs audits registry, cooldown, and auth across your fleet
18日前

400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security
Step Security Blog
On June 11th 2026, security researchers and the Arch Linux community disclosed a large-scale supply-chain attack against the Arch User Repository (AUR). Attackers hijacked more than 400 community packages and turned them into a malware delivery network. While the immediate blast radius is limited to Arch Linux systems, the campaign is a textbook example of how modern attackers compromise developers and CI infrastructure by abusing trust in open-source ecosystems.
18日前

Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspicious Files
Step Security Blog
Miasma and Hades worms are spreading across npm and PyPI, running on import and project open. See how Dev Machine Guard's Suspicious Files detects them.
18日前

New in the Threat Center: Compromised Components, Now Available via API
Step Security Blog
StepSecurity's new Threat Center API returns the compromised packages for any supply chain incident, so you can automate response and confirm exposure fast.
1ヶ月前

Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter
Step Security Blog
An attacker hijacked a co-founder's GitHub account for gpt-pilot, a 33K-star AI coding tool, and force-pushed a credential-stealing Shai-Hulud payload to the main branch. The ruff Python linter caught formatting and lint violations in the malicious code and blocked the CI build -- twice. The attacker gave up.
1ヶ月前

The Hades Campaign: Graph ML PyPI Packages Deploy Cross-Platform Memory Scrapers, AI Analyst Misdirection, and a Wiper Deterrent
Step Security Blog
On June 8, 2026, multiple Graph ML PyPI packages in the bioinformatics ecosystem were compromised in the Hades campaign, deploying cross-platform memory scrapers, AI prompt injections to misdirect scanners, and a token-revocation wiper.
1ヶ月前

Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents
Step Security Blog
On June 5, 2026, the Miasma worm campaign reached Microsoft's Azure GitHub organizations. GitHub disabled 73 repositories across four Microsoft GitHub organizations after a malicious commit was pushed to the Azure/durabletask repository using a previously compromised contributor account. The attack planted configuration files that execute a credential-harvesting payload when a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code.
1ヶ月前

Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack
Step Security Blog
Three malicious versions of Microsoft's official durabletask Python SDK were published to PyPI on May 19, 2026. The compromised package silently downloads and executes a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations, then spreads laterally through cloud infrastructure. The payload skips systems with a Russian locale, a hallmark of Eastern European cybercrime operations. The attack has been linked to the TeamPCP threat group behind the Mini Shai-Hulud campaign.
1ヶ月前

Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp
Step Security Blog
self-replicating worm is spreading across the npm registry using binding.gyp, a file that triggers code execution during npm install without touching package.json scripts. The attack bypasses conventional security tools and has already compromised dozens of packages across multiple maintainer accounts.
1ヶ月前

Multiple redhat-cloud-services npm Packages compromised
Step Security Blog
Several packages in the @redhat-cloud-services npm scope were found to carry malicious payloads that fire via a preinstall hook on every npm install. The affected versions span multiple packages across the RedHat Cloud Services frontend ecosystem. The payload is a sophisticated multi-stage credential harvester that targets GitHub Actions secrets, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm tokens, and CircleCI tokens
1ヶ月前

Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets
Step Security Blog
On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote every git tag across multiple popular Composer packages within a single 15 minute window. Anyone running composer update or installing fresh against laravel-lang/http-statuses, laravel-lang/actions, or laravel-lang/attributes now pulls a payload that exfiltrates CI secrets to a typosquatted attacker domain. StepSecurity confirmed end to end exploitation in an isolated runner and has filed security issues in all four repositories.
1ヶ月前

Dev Machine Guard Now Scans Extensions Across Every Modern IDE
Step Security Blog
Dev Machine Guard now scans IDE extensions across VS Code, Cursor, Windsurf, JetBrains IDEs, Android Studio, Eclipse, and Xcode on macOS, Windows, and Linux. Get a unified inventory, extension risk scoring, typosquat detection, and compromised extension visibility across your entire developer fleet.
1ヶ月前

Nx Console VS Code Extension Compromised
Step Security Blog
Nx Console VS Code Extension Compromised
1ヶ月前

Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories
Step Security Blog
A forged commit. A workflow file disguised as a routine CI optimization. Within 6 hours, 5,561 GitHub repositories were backdoored. Cloud credentials harvested. SSH keys stolen. OIDC tokens minted and exfiltrated before any runner finished. The attacker never touched your application code, only your pipeline. Most repositories had no idea it happened.
1ヶ月前

5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough
Step Security Blog
A poisoned VS Code extension breached GitHub. A trojanized PyPI package hit Microsoft. Compromised GitHub Actions and a self-spreading npm worm targeted thousands more. In just 48 hours, attackers hit every layer of the software development pipeline. Traditional security tools did not stop any of it.
1ヶ月前

Dev Machine Guard Now Supports Linux
Step Security Blog
Dev Machine Guard now supports Linux, giving security teams full visibility into Linux, macOS, and Windows developer machines. Detect AI coding agents, IDE extensions, MCP servers, npm and system packages, and compromised dependencies across your entire developer fleet from one dashboard.
2ヶ月前

Dev Machine Guard Now Supports Windows
Step Security Blog
Dev Machine Guard now supports Windows, giving security teams full visibility into Windows and macOS developer machines. Detect AI coding agents, IDE extensions, MCP servers, npm packages, and compromised dependencies across your developer fleet from a single dashboard.
2ヶ月前

Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem
Step Security Blog
A new wave of the Mini Shai-Hulud worm has compromised packages across Alibaba's AntV data visualization ecosystem, echarts-for-react, timeago.js, and dozens more. Stolen CI/CD secrets are being dumped to thousands of public GitHub repositories as the attack continues to spread.
2ヶ月前

actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials
Step Security Blog
The popular GitHub Action actions-cool/issues-helper has been compromised. Every existing tag in the repository has been moved to point to a single imposter commit that does not appear in the action's normal commit history. That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action.
2ヶ月前

Introducing Secure Registry: install-time defense for the npm supply chain
Step Security Blog
Introducing Secure Registry by StepSecurity: install-time defense for the npm supply chain. Block malicious packages, enforce package cooldowns, and protect CI/CD pipelines, developer machines, and artifact managers from modern software supply chain attacks.
2ヶ月前

Active Supply Chain Attack: Malicious node-ipc Versions Published to npm
Step Security Blog
Active Supply Chain Attack: Malicious node-ipc Versions Published to npm StepSecurity has detected multiple malicious releases of the popular node-ipc npm package. Three versions are currently known to be compromised, containing an obfuscated payload designed to steal cloud credentials, SSH keys, and CI/CD secrets. Our team is actively analyzing the attack, and this post will be updated as our investigation progresses
2ヶ月前

TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages
Step Security Blog
The Mini Shai-Hulud worm is actively compromising legitimate npm packages by hijacking CI/CD pipelines and stealing developer secrets. StepSecurity's OSS Package Security Feed first detected the attack in official @tanstack packages and is tracking its spread across the ecosystem in real time.
2ヶ月前

Shai-Hulud Worm Pivots to Multi-Cloud: [email protected] Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope
Step Security Blog
Twenty-nine hours after [email protected] and @cap-js/[email protected] were compromised by the Shai-Hulud worm, a third major npm package has fallen: [email protected], the official Node.js SDK for the Intercom customer messaging platform, with 361,510 weekly downloads — more than the two yesterday’s compromised packages combined. The malicious version was published today at 14:41 UTC via a hijacked GitHub Actions OIDC publishing pipeline, confirming the worm is actively propagating through CI/CD infrastructure stolen from yesterday’s victims.
2ヶ月前

lightning: Obfuscated JavaScript Credential Stealer Bundled in PyPI Wheel
Step Security Blog
On April 30, 2026, a supply chain compromise was identified in the lightning PyPI package — versions 2.6.2 and 2.6.3. The project’s GitHub account shows signs of compromise, with issues reporting the attack closed rapidly by suspicious responses.
2ヶ月前

A Mini Shai-Hulud Has Appeared: Obfuscated Bun Runtime Payloads Hit SAP-Related npm Packages
Step Security Blog
StepSecurity has detected a new npm supply chain attack campaign using preinstall hooks to download the Bun JavaScript runtime and execute an 11 MB obfuscated payload. At least two SAP-ecosystem packages are confirmed compromised so far.
2ヶ月前

elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection
Step Security Blog
A malicious version of elementary-data (0.23.3) was published to PyPI and is, at the time of writing, still listed as the latest release. The same release run also pushed a multi-arch container image to GitHub Container Registry at ghcr.io/elementary-data/elementary, tagged both 0.23.3 and latest.
2ヶ月前

Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools
Step Security Blog
@bitwarden/[email protected] — the official command-line interface for the Bitwarden password manager — was found compromised on npm. A malicious preinstall hook silently bootstraps the Bun JavaScript runtime and launches a 9.7 MB obfuscated credential stealer that targets developer secrets, GitHub Actions environments, and — explicitly — AI coding tool configurations including ~/.claude.json and MCP server configs. All stolen data is encrypted with AES-256-GCM and exfiltrated to audit.checkmarx.cx, a domain impersonating the legitimate security company Checkmarx. When GitHub tokens are found, the malware weaponizes them to inject malicious workflows into repositories and extract CI/CD secrets — turning a single compromised developer machine into a supply chain attack pivot point.
2ヶ月前

TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package
Step Security Blog
xinference
2ヶ月前

CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister
Step Security Blog
On April 21, 2026, malicious versions of pgserve were published to npm. pgserve is an embedded PostgreSQL server for development — zero config, auto-provisioned databases, designed to be dropped into any Node.js project. The compromised versions (1.1.11, 1.1.12, and 1.1.13) inject a 1,143-line credential-harvesting script that runs via postinstall on every npm install.
2ヶ月前

Announcing Dependabot Configuration Enhancements: Cooldown and Group Support
Step Security Blog
StepSecurity adds cooldown and group support for Dependabot configuration, giving teams control over update frequency and PR batching across npm, pip, Docker, and GitHub Actions. Reduce alert fatigue. Merge more patches. Strengthen your supply chain.
2ヶ月前

Securing Vibe Coding and AI Coding Agents: An End-to-End Approach with StepSecurity
Step Security Blog
AI coding agents install packages, create pull requests, push commits, and run autonomously in CI/CD pipelines. Here's how to secure every stage of that workflow
3ヶ月前

Introducing StepSecurity Dev Machine Guard: Protecting Developer Machines from Supply Chain Attacks
Step Security Blog
Modern supply chain attacks target developer machines and AI coding agents. Learn how StepSecurity Dev Machine Guard stops credential theft early
3ヶ月前

Top 2024 Predictions for CI/CD Security
Step Security Blog
Explore key CI/CD security trends for 2024, including shifts to modern platforms, third-party component risks, rising security incidents, and the growing need for secure pipelines. Learn how to protect your organization from evolving threats in the CI/CD landscape.
3ヶ月前

@velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence
Step Security Blog
A registry-only supply chain attack on @velora-dex/sdk delivers an architecture-aware macOS backdoor that fires the moment your code imports the package. No install hooks, no repo commits, no visible output.
3ヶ月前

Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack
Step Security Blog
StepSecurity's AI Package Analyst and Harden-Runner detected the compromise of axios, the largest npm supply chain attack on a single package by download count, before any public disclosure existed. What followed was a race against a state-sponsored threat actor who actively deleted GitHub issues to suppress the warning, a decision to host a community call at midnight that drew 200 attendees, and coverage from Bloomberg to Andrej Karpathy
3ヶ月前

axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
Step Security Blog
Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.
3ヶ月前

Dev Machine Guard Is Now Open Source: See What's Really Running on Your Developer Machine
Step Security Blog
Your developer machine is running AI agents, MCP servers, IDE extensions, and hundreds of packages. Do you know which ones? Now there's a free, open-source way to find out.
3ヶ月前

Datadog's DevSecOps 2026 Report Validates What We've Been Building
Step Security Blog
Datadog's State of DevSecOps 2026 report confirms what StepSecurity has been warning about for years: CI/CD pipelines and GitHub Actions are prime targets for supply chain attacks. Learn how StepSecurity's platform directly mitigates every major risk identified in the report, from unpinned actions to day-of-release dependencies.
3ヶ月前

hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far
Step Security Blog
A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. This post breaks down each attack, shows the evidence, and explains what you can do to protect your workflows.
3ヶ月前

StepSecurity’s Unified Protection Across the SDLC Infrastructure Threat Framework (SITF)
Step Security Blog
How StepSecurity delivers real-world protection across all critical pillars identified in Wiz's SDLC Infrastructure Threat Framework (SITF)
3ヶ月前

Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor
Step Security Blog
A supply chain attack targeting Solidity and Web3 developers has been discovered across three IoliteLabs VSCode extensions (solidity-macos, solidity-windows, and solidity-linux) embedding obfuscated backdoors that download remote payloads and establish persistence on all major platforms. StepSecurity is actively investigating this incident and will publish a full technical analysis with IOCs and remediation guidance shortly.
3ヶ月前

TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package
Step Security Blog
On March 27, 2026, TeamPCP injected a WAV steganography-based credential stealer into two releases of the telnyx Python SDK on PyPI. The issue was disclosed in team-telnyx/telnyx-python#235. TeamPCP is the same group behind the litellm supply chain compromise three days earlier, identified by a shared RSA-4096 public key, identical encryption scheme, and the tpcp.tar.gz exfiltration signature present in both attacks.
3ヶ月前

litellm: Credential Stealer Hidden in PyPI Wheel
Step Security Blog
On March 24, 2026, a critical supply chain compromise was identified in litellm==1.82.8: the PyPI package contains a malicious litellm_init.pth file
3ヶ月前

Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags
Step Security Blog
All release tags in the Checkmarx/kics-github-action repository have been compromised with an infostealer payload. If you are using this Action pinned to any version tag, treat your CI/CD secrets as compromised and rotate immediately.
3ヶ月前

CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem
Step Security Blog
Following Trivy's compromise, StepSecurity's AI Package Analyst flagged suspicious new releases across multiple npm scopes — revealing CanisterWorm, a self-propagating npm worm deployed by the TeamPCP threat actor. The worm is a direct continuation of the second Trivy compromise (v0.69.4): attackers embedded a credential harvester in Trivy's CI/CD toolchain, stole npm tokens from affected pipelines, then used those tokens to publish backdoored patch versions across every namespace they could reach — including the @opengov scope (16+ packages).
3ヶ月前

Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised
Step Security Blog
On March 19, 2026, trivy — a widely used open source vulnerability scanner maintained by Aqua Security — experienced a second security incident. Three weeks after the hackerbot-claw incident on February 28 that resulted in a repository takeover, a new compromised release (v0.69.4) was published to the trivy repository. The original incident disclosure discussion (#10265) was also deleted during this period, and version tags on the aquasecurity/setup-trivy GitHub Action were removed. Trivy maintainers deleted the v0.69.4 tag and Homebrew downgraded to v0.69.3. The following is a factual account of what we observed through public GitHub data.
3ヶ月前

bittensor-wallet 4.0.2 Compromised on PyPI - Backdoor Exfiltrates Private Keys
Step Security Blog
On March 17, 2026, bittensor-wallet 4.0.2 was identified as a compromised PyPI package. The malicious release had been live on PyPI for approximately 48 hours before being yanked. This post is a ground-up technical breakdown based on a direct diff of the source tarballs for versions 4.0.1 and 4.0.2 — covering exactly what changed, how the backdoor works, and what defenders should do. We also ran the compromised package with StepSecurity Harden Runner and captured every C2 channel firing in real time.
3ヶ月前

Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised
Step Security Blog
On March 16, 2026, StepSecurity Threat Intel was the first to detect and report malicious releases in two popular React Native npm packages — react-native-international-phone-number and react-native-country-select. StepSecurity's AI Package Analyst flagged the compromised versions, and within minutes, StepSecurity filed security issues directly in both GitHub repositories — alerting the maintainer and the community before any other security vendor.
3ヶ月前

Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys
Step Security Blog
The StepSecurity threat intelligence team discovered that dev-protocol — a verified GitHub organization with 568 followers belonging to a legitimate Japanese DeFi project — has been hijacked and is now being used to distribute malicious Polymarket trading bots.
3ヶ月前

ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push
Step Security Blog
The StepSecurity threat intelligence team was the first to discover and report on an ongoing campaign — which we are tracking as ForceMemo — in which an attacker is compromising hundreds of GitHub accounts and injecting identical malware into hundreds of Python repositories. The earliest injections date to March 8, 2026, and the campaign is still active with new repos continuing to be compromised.
3ヶ月前

xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning
Step Security Blog
The official Xygeni GitHub Action (xygeni-action) was compromised on March 3, 2026, when an attacker using stolen maintainer credentials injected a full C2 reverse shell backdoor and silently moved the mutable v5 tag to the malicious commit - affecting all repositories referencing @v5 without any visible change to their workflow files. The v5 tag remains poisoned as of March 9; users should immediately pin to v6.4.0 or a specific commit SHA, and StepSecurity's Harden-Runner would have detected and blocked the C2 callback to 91.214.78.178.
3ヶ月前

kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package
Step Security Blog
On March 5, 2026, a threat actor exploited a classic "Pwn Request" vulnerability in the CI workflow of kubernetes-el/kubernetes-el, a popular Emacs package for managing Kubernetes clusters. The attacker stole the repository's GITHUB_TOKEN (with full write permissions), exfiltrated CI/CD secrets, defaced the repository, and injected destructive code.
4ヶ月前

How StepSecurity Caught a Release Storm in Microsoft’s @types Packages
Step Security Blog
StepSecurity AI Package Analyst detected 70+ ghost releases across npm's most trusted TypeScript packages.
4ヶ月前

Harden Runner Now Supports Windows and macOS GitHub Actions Runners
Step Security Blog
Harden Runner now supports Windows and macOS GitHub Actions runners, delivering EDR-level runtime security across Linux, Windows, and macOS CI/CD pipelines
4ヶ月前

10,000 Open-Source Projects Now Secured by Harden-Runner Community-Tier: A Milestone Three Years in the Making
Step Security Blog
From 5,000 to 10,000 in just one year: How Harden-Runner doubled its reach and became the standard for CI/CD runtime security
5ヶ月前

20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...)
Step Security Blog
Massive NPM supply chain attack targets cryptocurrency users through compromised maintainer account - affecting packages downloaded billions of times weekly including debug, chalk, ansi-styles, color-convert, strip-ansi and 15+ other critical JavaScript packages. Malicious code injected to steal cryptocurrency wallets and redirect blockchain transactions.
5ヶ月前

2024 in Review: The Evolution of CI/CD Security & What's Next
Step Security Blog
Discover the key developments in CI/CD security in 2024, including major incidents, real-world case studies, and emerging trends for 2025. Learn how StepSecurity is driving innovation to secure CI/CD pipelines with proactive solutions.
5ヶ月前

How to Use Docker in Actions Runner Controller (ARC) Runners Securely
Step Security Blog
Discover best practices for using Docker in Actions Runner Controller (ARC) runners securely. Learn how to implement network egress filtering and runtime security to protect your CI/CD pipelines effectively.
5ヶ月前

Celebrating 1000 Repositories Secured with Harden Runner: A Journey of Growth and Collaboration
Step Security Blog
StepSecurity Harden-Runner has secured 1,000+ repositories! Celebrate this milestone with us as we reflect on our journey of growth, collaboration, and commitment to enhancing CI/CD security.
5ヶ月前

StepSecurity Detects Early Supply Chain Risk Signals in kilocode npm
Step Security Blog
StepSecurity detected early supply chain risk signals in a legitimate kilocode npm release, showing how small behavior changes can quietly weaken trust before attacks happen
5ヶ月前

Another npm Supply Chain Attack: The 'is' Package Compromise
Step Security Blog
npm 'is' package versions 3.3.1 and 5.0.0 compromised - critical utility with millions of weekly downloads falls victim to expanding phishing campaign
5ヶ月前

anthropics/claude-code-action Security: How to Secure Claude Code in GitHub Actions with Harden-Runner
Step Security Blog
Unlike GitHub Copilot's built-in network firewall, anthropics/claude-code-action GitHub action operates in GitHub Actions without network restrictions by default. Complete guide to implementing Claude Code in GitHub Actions with runtime security monitoring using Harden-Runner.
5ヶ月前

Harden-Runner detection: tj-actions/changed-files action is compromised
Step Security Blog
tj-actions/changed-files
5ヶ月前

StepSecurity's Catalog of Fixes
Step Security Blog
Explore StepSecurity's Catalog of Fixes, a comprehensive resource to help developers automate security fixes in GitHub Actions workflows. Learn how to improve CI/CD security with actionable solutions.
5ヶ月前

Orchestrating Security: StepSecurity's Impact on 400+ Repositories and Future Plans
Step Security Blog
StepSecurity has secured over 400 repositories and is shaping the future of CI/CD security. Learn about our impact, key milestones, and upcoming plans to enhance GitHub Actions security.
5ヶ月前

Announcing Anomalous Outbound Call Detection Using Machine Learning
Step Security Blog
StepSecurity introduces anomalous outbound call detection using machine learning! Learn how this feature enhances CI/CD security by identifying and mitigating suspicious network activities in real-time.
5ヶ月前

Announcing GitHub Actions Advisor and StepSecurity Maintained Actions
Step Security Blog
Introducing GitHub Actions Advisor and StepSecurity-maintained Actions! Learn how these tools help developers enhance GitHub Actions security, manage third-party risks, and ensure workflow compliance effortlessly.
5ヶ月前

Analysis of Backdoored XZ Utils Build Process with Harden-Runner
Step Security Blog
Explore an in-depth analysis of the backdoored XZ Utils build process using StepSecurity Harden-Runner. Learn how real-time monitoring detected malicious activity and safeguarded CI/CD pipelines from supply chain attacks.
5ヶ月前

Announcing General Availability of Harden Runner
Step Security Blog
StepSecurity announces the general availability of Harden-Runner! Discover how this powerful tool enhances CI/CD security by monitoring network egress, detecting anomalies, and automating GitHub Actions protection.
5ヶ月前

Milestone Achieved: 2500+ Public Repositories Secured with Harden-Runner
Step Security Blog
StepSecurity Harden-Runner has secured 2,500+ public repositories! Learn how this milestone reflects the growing trust in CI/CD security solutions to protect GitHub Actions workflows and prevent supply chain attacks.
5ヶ月前

Build secretless CI/CD pipelines using wait-for-secrets
Step Security Blog
Learn how to build secure, secretless CI/CD pipelines using the "Wait for Secrets" approach by StepSecurity. Discover how to reduce secret exposure risks and enhance GitHub Actions security.
5ヶ月前

Introducing Apps & PATs: Centralized Visibility for GitHub Apps and Personal Access Tokens
Step Security Blog
Get visibility into GitHub Apps, fine-grained PATs, and classic PATs across all your organizations in one dashboard
5ヶ月前

CVE-2026-22709: Critical Sandbox Escape Vulnerability in vm2
Step Security Blog
CVE-2026-22709; vm2
5ヶ月前

StepSecurity Now Supports Dark Mode
Step Security Blog
StepSecurity now supports dark mode for a more comfortable security investigation experience. Reduce eye strain and stay focused during long CI/CD analysis sessions
5ヶ月前

2025 in Review: The Evolution of Supply Chain Security & What's Next
Step Security Blog
How StepSecurity achieved 5X ARR growth for the second year in a row while securing over 10,000 open-source repositories in 2025
6ヶ月前

Bake Harden-Runner Into GitHub's Custom Runner Images for Organization-Wide CI/CD Security
Step Security Blog
GitHub's new custom runner images let you embed Harden-Runner directly into your infrastructure, providing automatic runtime protection across all workflows without modifying a single workflow file
7ヶ月前

StepSecurity Is Now Available on Azure Marketplace
Step Security Blog
The StepSecurity App is now available on Azure Marketplace—simplifying procurement, deployment, and CI/CD security in one place.
7ヶ月前

Critical Remote Code Execution Vulnerabilities Discovered in React Server Components and Next.js
Step Security Blog
CVE-2025-55182;CVE-2025-66478;reactjs;nextjs
7ヶ月前

How Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository
Step Security Blog
A case study on detecting npm supply chain attacks through runtime monitoring and baseline anomaly detection
7ヶ月前

Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised
Step Security Blog
Sha1-Hulud: The Second Coming
7ヶ月前

Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise
Step Security Blog
We are currently investigating a potential supply chain security incident involving the eslint-config-prettier npm package. This widely-used package, which helps developers maintain consistent code formatting by turning off ESLint rules that conflict with Prettier, appears to have had multiple versions published with suspicious modifications.
7ヶ月前

9,000 Open-Source Projects Now Secured by Harden-Runner
Step Security Blog
StepSecurity Harden-Runner now protects 9,000+ open-source projects, delivering real-time CI/CD runtime security and defending pipelines against modern supply chain attacks.
7ヶ月前

Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages
Step Security Blog
The Shai-Hulud worm has infected over 500 NPM packages including @ctrl/tinycolor in an unprecedented self-propagating supply chain attack. The malware harvests AWS/GCP/Azure credentials using TruffleHog, establishes persistence through GitHub Actions backdoors, and automatically spreads to other maintainer packages - marking the first successful worm attack in the NPM ecosystem.
7ヶ月前

Introducing npm Package Search: Find Where Any Package Was Introduced Across Your GitHub Organizations
Step Security Blog
Instantly trace any npm package to its origin—across every repository, pull request, and contributor—with StepSecurity’s NPM Package Search.
8ヶ月前

StepSecurity Is Sponsoring GitHub Universe 2025
Step Security Blog
We’re thrilled to announce that we are sponsoring GitHub Universe 2025 as a Bronze Sponsor — our very first booth at a major conference!
9ヶ月前

s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware
Step Security Blog
s1ngularity attack hijacked Nx package on npm to steal cryptocurrency wallets, GitHub/npm tokens, SSH keys, and environment secrets - the first documented case of malware weaponizing AI CLI tools for reconnaissance and data exfiltration.
9ヶ月前

Introducing StepSecurity Threat Intelligence: Real-Time Supply Chain Attack Alerts for Your SIEM
Step Security Blog
Protect your software supply chain with StepSecurity Threat Intelligence. Get real-time alerts on compromised packages, seamless SIEM integration, and actionable intelligence to reduce MTTD and MTTR.
10ヶ月前

8,000 Strong: Harden-Runner's Growing Impact on CI/CD Security
Step Security Blog
StepSecurity’s Harden-Runner now protects 8,000+ repositories with EDR-style runtime monitoring for CI/CD pipelines, stopping supply chain attacks and securing GitHub Actions.
10ヶ月前

Securing Google Gemini in GitHub Actions with Harden-Runner
Step Security Blog
Learn how to secure Google Gemini in GitHub Actions with Harden-Runner, combining observability with runtime monitoring for CI/CD security
10ヶ月前