🦜 Step Security Blog
@www.stepsecurity.io@rss-parrot.net
I'm an automated parrot! I relay a website's RSS feed to the Fediverse. Every time a new post appears in the feed, I toot about it. Follow me to get all new posts in your Mastodon timeline!
Brought to you by the RSS Parrot.
---
The latest from StepSecurity — practical guidance, product updates, and threat insights to help secure your CI/CD pipelines and stay ahead of supply chain attacks
Your feed and you don't want it here? Just
e-mail the birb.
Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope
https://www.stepsecurity.io/blog/shai-hulud-worm-pivots-to-multi-cloud-intercom-client-hijacked
Published: April 30, 2026 16:05
Twenty-nine hours after mbt@1.2.48 and @cap-js/sqlite@2.2.2 were compromised by the Shai-Hulud worm, a third major npm package has fallen: intercom-client@7.0.4, the official Node.js SDK for the Intercom customer messaging platform, with 361,510 weekly…
lightning: Obfuscated JavaScript Credential Stealer Bundled in PyPI Wheel
https://www.stepsecurity.io/blog/lightning-obfuscated-javascript-credential-stealer-bundled-in-pypi-wheel
Published: April 30, 2026 15:56
On April 30, 2026, a supply chain compromise was identified in the lightning PyPI package — versions 2.6.2 and 2.6.3. The project’s GitHub account shows signs of compromise, with issues reporting the attack closed rapidly by suspicious responses.
A Mini Shai-Hulud has Appeared: Obfuscated Bun Runtime Payloads Hit SAP-Related npm Packages
https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared
Published: April 29, 2026 17:17
StepSecurity has detected a new npm supply chain attack campaign using preinstall hooks to download the Bun JavaScript runtime and execute an 11 MB obfuscated payload. At least two SAP-ecosystem packages are confirmed compromised so far.
elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection
https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection
Published: April 25, 2026 18:40
A malicious version of elementary-data (0.23.3) was published to PyPI and is, at the time of writing, still listed as the latest release. The same release run also pushed a multi-arch container image to GitHub Container Registry at…
Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools
https://www.stepsecurity.io/blog/bitwarden-cli-hijacked-on-npm-bun-staged-credential-stealer-targets-developers-github-actions-and-ai-tools
Published: April 24, 2026 09:52
@bitwarden/cli@2026.4.0 — the official command-line interface for the Bitwarden password manager — was found compromised on npm. A malicious preinstall hook silently bootstraps the Bun JavaScript runtime and launches a 9.7 MB obfuscated credential stealer…
TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package
https://www.stepsecurity.io/blog/teampcp-injects-two-stage-credential-stealer-into-xinference-pypi-package
Published: April 23, 2026 19:04
xinference
CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister
https://www.stepsecurity.io/blog/pgserve-compromised-on-npm-malicious-versions-harvest-credentials
Published: April 22, 2026 12:26
On April 21, 2026, malicious versions of pgserve were published to npm. pgserve is an embedded PostgreSQL server for development — zero config, auto-provisioned databases, designed to be dropped into any Node.js project. The compromised versions (1.1.11,…
Announcing Dependabot Configuration Enhancements: Cooldown and Group Support
https://www.stepsecurity.io/blog/announcing-dependabot-configuration-enhancements-cooldown-and-group-support
Published: April 16, 2026 13:53
StepSecurity adds cooldown and group support for Dependabot configuration, giving teams control over update frequency and PR batching across npm, pip, Docker, and GitHub Actions. Reduce alert fatigue. Merge more patches. Strengthen your supply chain.
Securing Vibe Coding and AI Coding Agents: An End-to-End Approach with StepSecurity
https://www.stepsecurity.io/blog/securing-vibe-coding-and-ai-coding-agents-an-end-to-end-approach-with-stepsecurity
Published: April 12, 2026 13:54
AI coding agents install packages, create pull requests, push commits, and run autonomously in CI/CD pipelines. Here's how to secure every stage of that workflow
Introducing StepSecurity Dev Machine Guard: Protecting Developer Machines from Supply Chain Attacks
https://www.stepsecurity.io/blog/introducing-stepsecurity-developer-mdm-protecting-developer-machines-from-supply-chain-attacks
Published: April 12, 2026 13:54
Modern supply chain attacks target developer machines and AI coding agents. Learn how StepSecurity Dev Machine Guard stops credential theft early
Top 2024 Predictions for CI/CD Security
https://www.stepsecurity.io/blog/top-2024-predictions-for-ci-cd-security
Published: April 12, 2026 13:54
Explore key CI/CD security trends for 2024, including shifts to modern platforms, third-party component risks, rising security incidents, and the growing need for secure pipelines. Learn how to protect your organization from evolving threats in the CI/CD…
10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions
https://www.stepsecurity.io/blog/10-layers-deep-how-stepsecurity-stops-teampcps-trivy-supply-chain-attack-on-github-actions
Published: April 9, 2026 19:11
TeamPCP weaponized 76 Trivy version tags overnight. The KICS attack followed the same playbook days later. One security control is not enough. Here is how the StepSecurity platform's ten independent security layers work together to prevent credential…
axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Published: April 9, 2026 19:11
Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical…
Dev Machine Guard Is Now Open Source: See What's Really Running on Your Developer Machine
https://www.stepsecurity.io/blog/dev-machine-guard-is-now-open-source-see-whats-really-running-on-your-developer-machine
Published: April 9, 2026 19:11
Your developer machine is running AI agents, MCP servers, IDE extensions, and hundreds of packages. Do you know which ones? Now there's a free, open-source way to find out.
Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack
https://www.stepsecurity.io/blog/behind-the-scenes-how-stepsecurity-detected-and-helped-remediate-the-largest-npm-supply-chain-attack
Published: April 9, 2026 19:11
StepSecurity's AI Package Analyst and Harden-Runner detected the compromise of axios, the largest npm supply chain attack on a single package by download count, before any public disclosure existed. What followed was a race against a state-sponsored threat…
@velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence
https://www.stepsecurity.io/blog/velora-dex-sdk-compromised-on-npm-malicious-version-drops-macos-backdoor-via-launchctl-persistence
Published: April 9, 2026 19:11
A registry-only supply chain attack on @velora-dex/sdk delivers an architecture-aware macOS backdoor that fires the moment your code imports the package. No install hooks, no repo commits, no visible output.
StepSecurity’s Unified Protection Across the SDLC Infrastructure Threat Framework (SITF)
https://www.stepsecurity.io/blog/stepsecuritys-unified-protection-across-the-sdlc-infrastructure-threat-framework-sitf
Published: April 9, 2026 19:11
How StepSecurity delivers real-world protection across all critical pillars identified in Wiz's SDLC Infrastructure Threat Framework (SITF)
hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far
https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
Published: April 9, 2026 19:11
A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation…
Cline Supply Chain Attack Detected: cline@2.3.0 Silently Installs OpenClaw
https://www.stepsecurity.io/blog/cline-supply-chain-attack-detected-cline-2-3-0-silently-installs-openclaw
Published: April 9, 2026 19:11
cline@2.3.0
Datadog's DevSecOps 2026 Report Validates What We've Been Building
https://www.stepsecurity.io/blog/datadogs-devsecops-2026-report-validates-what-weve-been-building
Published: April 9, 2026 19:11
Datadog's State of DevSecOps 2026 report confirms what StepSecurity has been warning about for years: CI/CD pipelines and GitHub Actions are prime targets for supply chain attacks. Learn how StepSecurity's platform directly mitigates every major risk…
TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package
https://www.stepsecurity.io/blog/teampcp-plants-wav-steganography-credential-stealer-in-telnyx-pypi-package
Published: April 2, 2026 06:43
On March 27, 2026, TeamPCP injected a WAV steganography-based credential stealer into two releases of the telnyx Python SDK on PyPI. The issue was disclosed in team-telnyx/telnyx-python#235. TeamPCP is the same group behind the litellm supply chain…
Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor
https://www.stepsecurity.io/blog/malicious-iolitelabs-vscode-extensions-target-solidity-developers-on-windows-macos-and-linux-with-backdoor
Published: April 2, 2026 06:43
A supply chain attack targeting Solidity and Web3 developers has been discovered across three IoliteLabs VSCode extensions (solidity-macos, solidity-windows, and solidity-linux) embedding obfuscated backdoors that download remote payloads and establish…
litellm: Credential Stealer Hidden in PyPI Wheel
https://www.stepsecurity.io/blog/litellm-credential-stealer-hidden-in-pypi-wheel
Published: March 28, 2026 10:03
On March 24, 2026, a critical supply chain compromise was identified in litellm==1.82.8: the PyPI package contains a malicious litellm_init.pth file
ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push
https://www.stepsecurity.io/blog/forcememo-hundreds-of-github-python-repos-compromised-via-account-takeover-and-force-push
Published: March 26, 2026 19:09
The StepSecurity threat intelligence team was the first to discover and report on an ongoing campaign — which we are tracking as ForceMemo — in which an attacker is compromising hundreds of GitHub accounts and injecting identical malware into hundreds of…
Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised
https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release
Published: March 26, 2026 19:09
On March 19, 2026, trivy — a widely used open source vulnerability scanner maintained by Aqua Security — experienced a second security incident. Three weeks after the hackerbot-claw incident on February 28 that resulted in a repository takeover, a new…
bittensor-wallet 4.0.2 Compromised on PyPI - Backdoor Exfiltrates Private Keys
https://www.stepsecurity.io/blog/bittensor-wallet-4-0-2-compromised-on-pypi---backdoor-exfiltrates-private-keys
Published: March 26, 2026 19:09
On March 17, 2026, bittensor-wallet 4.0.2 was identified as a compromised PyPI package. The malicious release had been live on PyPI for approximately 48 hours before being yanked. This post is a ground-up technical breakdown based on a direct diff of the…
xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning
https://www.stepsecurity.io/blog/xygeni-action-compromised-c2-reverse-shell-backdoor-injected-via-tag-poisoning
Published: March 26, 2026 19:09
The official Xygeni GitHub Action (xygeni-action) was compromised on March 3, 2026, when an attacker using stolen maintainer credentials injected a full C2 reverse shell backdoor and silently moved the mutable v5 tag to the malicious commit - affecting all…
Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags
https://www.stepsecurity.io/blog/checkmarx-kics-github-action-compromised-malware-injected-in-all-git-tags
Published: March 26, 2026 19:09
All release tags in the Checkmarx/kics-github-action repository have been compromised with an infostealer payload. If you are using this Action pinned to any version tag, treat your CI/CD secrets as compromised and rotate immediately.
CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem
https://www.stepsecurity.io/blog/canisterworm-how-a-self-propagating-npm-worm-is-spreading-backdoors-across-the-ecosystem
Published: March 26, 2026 19:09
Following Trivy's compromise, StepSecurity's AI Package Analyst flagged suspicious new releases across multiple npm scopes — revealing CanisterWorm, a self-propagating npm worm deployed by the TeamPCP threat actor. The worm is a direct continuation of the…
Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised
https://www.stepsecurity.io/blog/malicious-npm-releases-found-in-popular-react-native-packages---130k-monthly-downloads-compromised
Published: March 26, 2026 19:09
On March 16, 2026, StepSecurity Threat Intel was the first to detect and report malicious releases in two popular React Native npm packages — react-native-international-phone-number and react-native-country-select. StepSecurity's AI Package Analyst flagged…
Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys
https://www.stepsecurity.io/blog/malicious-polymarket-bot-hides-in-hijacked-dev-protocol-github-org-and-steals-wallet-keys
Published: March 26, 2026 19:09
The StepSecurity threat intelligence team discovered that dev-protocol — a verified GitHub organization with 568 followers belonging to a legitimate Japanese DeFi project — has been hijacked and is now being used to distribute malicious Polymarket trading…
kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package
https://www.stepsecurity.io/blog/kubernetes-el-compromised-how-a-pwn-request-exploited-a-popular-emacs-package
Published: March 11, 2026 10:04
On March 5, 2026, a threat actor exploited a classic "Pwn Request" vulnerability in the CI workflow of kubernetes-el/kubernetes-el, a popular Emacs package for managing Kubernetes clusters. The attacker stole the repository's GITHUB_TOKEN (with full write…
Harden Runner Now Supports Windows and macOS GitHub Actions Runners
https://www.stepsecurity.io/blog/harden-runner-now-supports-windows-and-macos-github-actions-runners
Published: March 1, 2026 09:05
Harden Runner now supports Windows and macOS GitHub Actions runners, delivering EDR-level runtime security across Linux, Windows, and macOS CI/CD pipelines
How StepSecurity Caught a Release Storm in Microsoft’s @types Packages
https://www.stepsecurity.io/blog/how-stepsecurity-caught-a-release-storm-in-microsofts-types-packages
Published: March 1, 2026 09:05
StepSecurity AI Package Analyst detected 70+ ghost releases across npm's most trusted TypeScript packages.
Celebrating 1000 Repositories Secured with Harden Runner: A Journey of Growth and Collaboration
https://www.stepsecurity.io/blog/celebrating-1000-repositories-secured-with-harden-runner-a-journey-of-growth-and-collaboration
Published: February 15, 2026 19:08
StepSecurity Harden-Runner has secured 1,000+ repositories! Celebrate this milestone with us as we reflect on our journey of growth, collaboration, and commitment to enhancing CI/CD security.
20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...)
https://www.stepsecurity.io/blog/20-popular-npm-packages-compromised-chalk-debug-strip-ansi-color-convert-wrap-ansi
Published: February 15, 2026 19:08
Massive NPM supply chain attack targets cryptocurrency users through compromised maintainer account - affecting packages downloaded billions of times weekly including debug, chalk, ansi-styles, color-convert, strip-ansi and 15+ other critical JavaScript…
2024 in Review: The Evolution of CI/CD Security & What's Next
https://www.stepsecurity.io/blog/2024-in-review-the-evolution-of-ci-cd-security-whats-next
Published: February 15, 2026 19:08
Discover the key developments in CI/CD security in 2024, including major incidents, real-world case studies, and emerging trends for 2025. Learn how StepSecurity is driving innovation to secure CI/CD pipelines with proactive solutions.
10,000 Open-Source Projects Now Secured by Harden-Runner Community-Tier: A Milestone Three Years in the Making
https://www.stepsecurity.io/blog/10-000-open-source-projects-now-secured-by-harden-runner-community-tier-a-milestone-three-years-in-the-making
Published: February 15, 2026 19:08
From 5,000 to 10,000 in just one year: How Harden-Runner doubled its reach and became the standard for CI/CD runtime security
How to Use Docker in Actions Runner Controller (ARC) Runners Securely
https://www.stepsecurity.io/blog/how-to-use-docker-in-actions-runner-controller-runners-securelly
Published: February 15, 2026 19:08
Discover best practices for using Docker in Actions Runner Controller (ARC) runners securely. Learn how to implement network egress filtering and runtime security to protect your CI/CD pipelines effectively.
StepSecurity's Catalog of Fixes
https://www.stepsecurity.io/blog/stepsecuritys-catalog-of-fixes
Published: February 11, 2026 06:29
Explore StepSecurity's Catalog of Fixes, a comprehensive resource to help developers automate security fixes in GitHub Actions workflows. Learn how to improve CI/CD security with actionable solutions.
Orchestrating Security: StepSecurity's Impact on 400+ Repositories and Future Plans
https://www.stepsecurity.io/blog/orchestrating-security-stepsecuritys-impact-on-400-repositories-and-future-plans
Published: February 11, 2026 06:29
StepSecurity has secured over 400 repositories and is shaping the future of CI/CD security. Learn about our impact, key milestones, and upcoming plans to enhance GitHub Actions security.
Announcing General Availability of Harden Runner
https://www.stepsecurity.io/blog/announcing-general-availability-of-harden-runner
Published: February 11, 2026 06:29
StepSecurity announces the general availability of Harden-Runner! Discover how this powerful tool enhances CI/CD security by monitoring network egress, detecting anomalies, and automating GitHub Actions protection.
Milestone Achieved: 2500+ Public Repositories Secured with Harden-Runner
https://www.stepsecurity.io/blog/2500-public-repositories-secured-with-harden-runner
Published: February 11, 2026 06:29
StepSecurity Harden-Runner has secured 2,500+ public repositories! Learn how this milestone reflects the growing trust in CI/CD security solutions to protect GitHub Actions workflows and prevent supply chain attacks.
Harden-Runner detection: tj-actions/changed-files action is compromised
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
Published: February 11, 2026 06:29
tj-actions/changed-files
StepSecurity Detects Early Supply Chain Risk Signals in kilocode npm
https://www.stepsecurity.io/blog/stepsecurity-detects-early-supply-chain-risk-signals-in-kilocode-npm
Published: February 11, 2026 06:29
StepSecurity detected early supply chain risk signals in a legitimate kilocode npm release, showing how small behavior changes can quietly weaken trust before attacks happen
Announcing GitHub Actions Advisor and StepSecurity Maintained Actions
https://www.stepsecurity.io/blog/announcing-github-actions-advisor-and-stepsecurity-maintained-actions
Published: February 11, 2026 06:29
Introducing GitHub Actions Advisor and StepSecurity-maintained Actions! Learn how these tools help developers enhance GitHub Actions security, manage third-party risks, and ensure workflow compliance effortlessly.
Analysis of Backdoored XZ Utils Build Process with Harden-Runner
https://www.stepsecurity.io/blog/analysis-of-backdoored-xz-utils-build-process-with-harden-runner
Published: February 11, 2026 06:29
Explore an in-depth analysis of the backdoored XZ Utils build process using StepSecurity Harden-Runner. Learn how real-time monitoring detected malicious activity and safeguarded CI/CD pipelines from supply chain attacks.
Announcing Anomalous Outbound Call Detection Using Machine Learning
https://www.stepsecurity.io/blog/announcing-anomalous-outbound-call-detection-using-machine-learning
Published: February 11, 2026 06:29
StepSecurity introduces anomalous outbound call detection using machine learning! Learn how this feature enhances CI/CD security by identifying and mitigating suspicious network activities in real-time.
anthropics/claude-code-action Security: How to Secure Claude Code in GitHub Actions with Harden-Runner
https://www.stepsecurity.io/blog/anthropics-claude-code-action-security-how-to-secure-claude-code-in-github-actions-with-harden-runner
Published: February 11, 2026 06:29
Unlike GitHub Copilot's built-in network firewall, anthropics/claude-code-action GitHub action operates in GitHub Actions without network restrictions by default. Complete guide to implementing Claude Code in GitHub Actions with runtime security monitoring…
Another npm Supply Chain Attack: The 'is' Package Compromise
https://www.stepsecurity.io/blog/another-npm-supply-chain-attack-the-is-package-compromise
Published: February 11, 2026 06:29
npm 'is' package versions 3.3.1 and 5.0.0 compromised - critical utility with millions of weekly downloads falls victim to expanding phishing campaign
Build secretless CI/CD pipelines using wait-for-secrets
https://www.stepsecurity.io/blog/build-secretless-ci-cd-pipelines-using-wait-for-secrets
Published: February 10, 2026 08:17
Learn how to build secure, secretless CI/CD pipelines using the "Wait for Secrets" approach by StepSecurity. Discover how to reduce secret exposure risks and enhance GitHub Actions security.
Introducing Apps & PATs: Centralized Visibility for GitHub Apps and Personal Access Tokens
https://www.stepsecurity.io/blog/introducing-apps-pats-centralized-visibility-for-github-apps-and-personal-access-tokens
Published: January 29, 2026 18:12
Get visibility into GitHub Apps, fine-grained PATs, and classic PATs across all your organizations in one dashboard
CVE-2026-22709: Critical Sandbox Escape Vulnerability in vm2
https://www.stepsecurity.io/blog/cve-2026-22709-critical-sandbox-escape-vulnerability-in-vm2
Published: January 29, 2026 18:12
CVE-2026-22709; vm2
StepSecurity Now Supports Dark Mode
https://www.stepsecurity.io/blog/stepsecurity-now-supports-dark-mode
Published: January 22, 2026 21:04
StepSecurity now supports dark mode for a more comfortable security investigation experience. Reduce eye strain and stay focused during long CI/CD analysis sessions
2025 in Review: The Evolution of Supply Chain Security & What's Next
https://www.stepsecurity.io/blog/2025-in-review-the-evolution-of-supply-chain-security-whats-next
Published: January 6, 2026 17:29
How StepSecurity achieved 5X ARR growth for the second year in a row while securing over 10,000 open-source repositories in 2025
Bake Harden-Runner Into GitHub's Custom Runner Images for Organization-Wide CI/CD Security
https://www.stepsecurity.io/blog/bake-harden-runner-into-githubs-custom-runner-images-for-organization-wide-ci-cd-security
Published: December 16, 2025 13:56
GitHub's new custom runner images let you embed Harden-Runner directly into your infrastructure, providing automatic runtime protection across all workflows without modifying a single workflow file
Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised
https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
Published: December 15, 2025 18:06
Sha1-Hulud: The Second Coming
Critical Remote Code Execution Vulnerabilities Discovered in React Server Components and Next.js
https://www.stepsecurity.io/blog/critical-remote-code-execution-vulnerabilities-discovered-in-react-server-components-and-next-js
Published: December 15, 2025 18:06
CVE-2025-55182;CVE-2025-66478;reactjs;nextjs
Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise
https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise
Published: December 15, 2025 18:06
We are currently investigating a potential supply chain security incident involving the eslint-config-prettier npm package. This widely-used package, which helps developers maintain consistent code formatting by turning off ESLint rules that conflict with…
StepSecurity Is Now Available on Azure Marketplace
https://www.stepsecurity.io/blog/stepsecurity-is-now-available-on-azure-marketplace
Published: December 15, 2025 18:06
The StepSecurity App is now available on Azure Marketplace—simplifying procurement, deployment, and CI/CD security in one place.
How Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository
https://www.stepsecurity.io/blog/how-harden-runner-detected-the-sha1-hulud-supply-chain-attack-in-cncfs-backstage-repository
Published: December 15, 2025 18:06
A case study on detecting npm supply chain attacks through runtime monitoring and baseline anomaly detection
Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages
https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised
Published: November 23, 2025 12:53
The Shai-Hulud worm has infected over 500 NPM packages including @ctrl/tinycolor in an unprecedented self-propagating supply chain attack. The malware harvests AWS/GCP/Azure credentials using TruffleHog, establishes persistence through GitHub Actions…
9,000 Open-Source Projects Now Secured by Harden-Runner
https://www.stepsecurity.io/blog/9-000-open-source-projects-now-secured-by-harden-runner
Published: November 23, 2025 12:53
StepSecurity Harden-Runner now protects 9,000+ open-source projects, delivering real-time CI/CD runtime security and defending pipelines against modern supply chain attacks.
Introducing npm Package Search: Find Where Any Package Was Introduced Across Your GitHub Organizations
https://www.stepsecurity.io/blog/introducing-npm-package-search-find-where-any-package-was-introduced-across-your-github-organizations
Published: November 17, 2025 16:01
Instantly trace any npm package to its origin—across every repository, pull request, and contributor—with StepSecurity’s NPM Package Search.
StepSecurity Is Sponsoring GitHub Universe 2025
https://www.stepsecurity.io/blog/stepsecurity-is-sponsoring-github-universe-2025
Published: October 8, 2025 16:59
We’re thrilled to announce that we are sponsoring GitHub Universe 2025 as a Bronze Sponsor — our very first booth at a major conference!
s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware
https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware
Published: September 23, 2025 18:02
s1ngularity attack hijacked Nx package on npm to steal cryptocurrency wallets, GitHub/npm tokens, SSH keys, and environment secrets - the first documented case of malware weaponizing AI CLI tools for reconnaissance and data exfiltration.
Securing Google Gemini in GitHub Actions with Harden-Runner
https://www.stepsecurity.io/blog/securing-google-gemini-in-github-actions-with-harden-runner
Published: September 19, 2025 14:12
Learn how to secure Google Gemini in GitHub Actions with Harden-Runner, combining observability with runtime monitoring for CI/CD security
Introducing StepSecurity Threat Intelligence: Real-Time Supply Chain Attack Alerts for Your SIEM
https://www.stepsecurity.io/blog/introducing-stepsecurity-threat-intelligence-real-time-supply-chain-attack-alerts-for-your-siem
Published: September 19, 2025 14:12
Protect your software supply chain with StepSecurity Threat Intelligence. Get real-time alerts on compromised packages, seamless SIEM integration, and actionable intelligence to reduce MTTD and MTTR.
GhostAction Campaign: Over 3,000 Secrets Stolen Through Malicious GitHub Workflows
https://www.stepsecurity.io/blog/ghostaction-campaign-over-3-000-secrets-stolen-through-malicious-github-workflows
Published: September 19, 2025 14:12
GitGuardian researchers discover massive supply chain attack affecting 817 repositories across 327 GitHub users. Malicious workflows exfiltrated 3,325 secrets including PyPI, npm, and DockerHub tokens through compromised developer accounts.
8,000 Strong: Harden-Runner's Growing Impact on CI/CD Security
https://www.stepsecurity.io/blog/8-000-harden-runners-growing-impact-on-ci-cd-security
Published: September 19, 2025 14:12
StepSecurity’s Harden-Runner now protects 8,000+ repositories with EDR-style runtime monitoring for CI/CD pipelines, stopping supply chain attacks and securing GitHub Actions.
Introducing the NPM Package Cooldown Check
https://www.stepsecurity.io/blog/introducing-the-npm-package-cooldown-check
Published: September 8, 2025 17:30
We’re excited to announce the release of our NPM Package Cooldown Check, which helps teams block newly released, potentially compromised dependencies, while still allowing emergency fixes and integrating seamlessly into GitHub workflows
Securing GitHub Copilot in GitHub Actions with Harden-Runner
https://www.stepsecurity.io/blog/securing-github-copilot-in-github-actions-with-harden-runner
Published: September 8, 2025 17:30
Secure GitHub Copilot in CI/CD with StepSecurity Harden-Runner. Gain runtime visibility, block threats, and achieve true defense-in-depth.
Calculate Your CI/CD Security ROI with StepSecurity's New ROI Calculator
https://www.stepsecurity.io/blog/calculate-your-ci-cd-security-roi-with-stepsecuritys-new-roi-calculator
Published: September 8, 2025 16:44
The ROI Calculator provides instant visibility into your GitHub Actions security gaps and quantifies the value of addressing them.
How StepSecurity Harden Runner Detected Unexpected Microsoft Defender Installation on GitHub-hosted Ubuntu Runners
https://www.stepsecurity.io/blog/how-stepsecurity-harden-runner-detected-unexpected-microsoft-defender-installation-on-github-hosted-ubuntu-runners
Published: September 4, 2025 18:20
Microsoft Defender was unexpectedly installed on multiple workflow runs from mid-July through mid-August, causing abnormal network traffic. StepSecurity Harden Runner detected this infrastructure anomaly within hours, and GitHub Support has since resolved…
StepSecurity Harden Runner: Detect source code tampering during the build process
https://www.stepsecurity.io/blog/stepsecurity-harden-runner-detect-source-code-tampering-during-the-build-process
Published: August 27, 2025 05:28
Learn how StepSecurity Harden-Runner detects source code tampering during the build process. Discover how real-time monitoring enhances CI/CD security by preventing unauthorized code modifications.
When 'Changed Files' Changed Everything: Our Black Hat 2025 Presentation on the tj-actions Supply Chain Breach
https://www.stepsecurity.io/blog/when-changed-files-changed-everything-our-black-hat-2025-presentation-on-the-tj-actions-supply-chain-breach
Published: August 15, 2025 21:01
We reveal how baseline-driven monitoring caught one of 2025's most consequential CI/CD supply chain attacks, exposing the vulnerability of 23,000+ repositories including those from GitHub, Meta, and Microsoft.
Suspicious Tag Movement in AWS’s GitHub Action: What Happened and Why It Matters
https://www.stepsecurity.io/blog/suspicious-tag-movement-in-aws-github-action
Published: August 15, 2025 21:01
How an AWS release rollback triggered the same red flags as a supply chain attack — and why treating every tag movement as suspicious is key to protecting your CI/CD pipelines
Supply Chain Security Alert: num2words PyPI Package Shows Signs of Compromise
https://www.stepsecurity.io/blog/supply-chain-security-alert-num2words-pypi-package-shows-signs-of-compromise
Published: August 9, 2025 16:59
Popular Python Package num2words v0.5.15 Published Without Repository Tag, Linked to Known Threat Actor
8 GitHub Actions Secrets Management Best Practices to Follow
https://www.stepsecurity.io/blog/github-actions-secrets-management-best-practices
Published: August 9, 2025 16:59
Discover GitHub Actions secrets management best practices to protect sensitive information in your CI/CD pipelines. Learn how to securely store, use, and manage secrets with actionable tips from StepSecurity.
When AI Meets CI/CD: Coding Agents in GitHub Actions Pose Hidden Security Risks
https://www.stepsecurity.io/blog/when-ai-meets-ci-cd-coding-agents-in-github-actions-pose-hidden-security-risks
Published: August 9, 2025 16:59
As organizations integrate AI coding agents into their development pipelines, new security considerations emerge. While these tools accelerate development, they require thoughtful security approaches to protect against novel attack vectors like Rules File…
The GitHub Warning Everyone Ignores: 'This Commit Does Not Belong to Any Branch'
https://www.stepsecurity.io/blog/the-github-warning-everyone-ignores-this-commit-does-not-belong-to-any-branch
Published: August 9, 2025 16:59
Several popular GitHub Actions have release processes where the release commit does not belong to any branch on the action repository.
Lessons from AWS CodeBuild’s Memory-Dump Incident (CVE-2025-8217)
https://www.stepsecurity.io/blog/lessons-from-aws-codebuilds-memory-dump-incident-cve-2025-8217
Published: August 9, 2025 16:59
How threat actors exploited AWS CodeBuild pipelines by stealing secrets from CI/CD memory—and the proactive defenses organizations can deploy to detect, respond to, and prevent such attacks.
reviewdog GitHub Actions are compromised
https://www.stepsecurity.io/blog/reviewdog-github-actions-are-compromised
Published: July 8, 2025 18:04
reviewdog GitHub Actions are compromised
Prevent Ultralytics Style CI/CD Security Attacks with Network Security Controls
https://www.stepsecurity.io/blog/prevent-ultralytics-style-ci-cd-security-attacks-with-network-security-controls
Published: July 8, 2025 09:03
Discover how a CI/CD vulnerability in Ultralytics' GitHub Actions was exploited to inject a cryptominer, exfiltrate secrets, and poison build caches. Learn how StepSecurity Harden-Runner detects and mitigates such threats with advanced runtime monitoring…
Announcing StepSecurity’s Integration with RunsOn: Secure and Optimized CI/CD Pipelines
https://www.stepsecurity.io/blog/announcing-stepsecuritys-integration-with-runson
Published: July 8, 2025 09:03
runson,stepsecurity
Replace Third-Party Actions with StepSecurity Maintained Actions via Automated Pull Requests
https://www.stepsecurity.io/blog/replace-third-party-actions-with-stepsecurity-maintained-actions-via-automated-pull-requests
Published: July 8, 2025 09:03
Policy Driven PRs now upgrade third-party Actions to StepSecurity Maintained versions across your entire organization
Introducing StepSecurity Artifact Monitor: Detect Unauthorized Software Releases in minutes, not months
https://www.stepsecurity.io/blog/introducing-stepsecurity-artifact-monitor-detect-unauthorized-software-releases-in-minutes-not-months
Published: July 8, 2025 09:03
StepSecurity Artifact Monitoring continuously watches your artifact registries to verify every release follows your approved CI/CD process. When attackers bypass your secure pipeline using compromised credentials, you'll know within minutes instead of…
GitHub Actions Pwn Request Vulnerability
https://www.stepsecurity.io/blog/github-actions-pwn-request-vulnerability
Published: July 8, 2025 09:03
Learn about the 'Pwn Request' vulnerability in GitHub Actions, its risks, and how to secure workflows from exploitation. Discover best practices and tools like StepSecurity to protect against CI/CD threats.
Unified Network Egress View: Centralize GitHub Actions Network Destinations for Your Enterprise
https://www.stepsecurity.io/blog/unified-network-egress-view-centralize-github-actions-network-destinations-for-your-enterprise
Published: July 8, 2025 09:03
Discover StepSecurity’s Unified Network Egress View for GitHub Actions. Learn how to centralize and monitor network destinations across your enterprise to enhance CI/CD security and prevent data exfiltration.
Announcing Policy-Driven Automated Pull Requests for CI/CD Misconfiguration Remediation
https://www.stepsecurity.io/blog/announcing-policy-driven-automated-pull-requests-for-ci-cd-misconfiguration-remediation
Published: July 8, 2025 09:03
Announcing Policy-Driven Automated Pull Requests for CI/CD Misconfiguration Remediation
Grafana GitHub Actions Security Incident
https://www.stepsecurity.io/blog/grafana-github-actions-security-incident
Published: July 8, 2025 09:03
On Saturday, April 26, 2025, Grafana Labs disclosed that an unauthorized user leveraged a vulnerability in a GitHub Actions workflow within a public Grafana Labs repository. This led to the exposure of a small number of secrets. Grafana Labs stated that…
Harden-Runner Detects New Traffic to release-assets.githubusercontent.com Across Multiple Customers
https://www.stepsecurity.io/blog/harden-runner-detects-new-traffic-to-release-assets-githubusercontent-com-across-multiple-customers
Published: July 8, 2025 09:03
StepSecurity's Harden-Runner detected unexpected traffic to release-assets.githubusercontent.com across multiple GitHub Actions workflows, prompting a swift investigation. Learn how baseline monitoring caught this change, why it matters for CI/CD security,…
Why Compliance Auditors Are Looking at Your CI/CD Runners - And How to Prepare
https://www.stepsecurity.io/blog/why-compliance-auditors-are-looking-at-your-ci-cd-runners-and-how-to-prepare
Published: July 8, 2025 09:03
CI/CD runners are a critical but often overlooked security risk. Learn how unmonitored runners can expose your pipelines to supply chain attacks and compliance gaps (PCI-DSS, SOC 2, HIPAA, ISO 27001). Discover how StepSecurity Harden-Runner enhances CI/CD…
Secure Repo Just Got Better: New Features for GitHub Actions Security Best Practices
https://www.stepsecurity.io/blog/new-features-for-github-actions-security-best-practices
Published: July 8, 2025 09:03
GitHub Actions Security
7,000 Open-Source Projects Now Secured by Harden-Runner
https://www.stepsecurity.io/blog/7-000-open-source-projects-now-secured-by-harden-runner-
Published: July 8, 2025 09:03
StepSecurity’s Harden-Runner now protects over 7,000 GitHub repositories with real-time CI/CD runtime monitoring, threat detection, and supply chain security enforcement—backed by features like impostor commit alerts, process-based detections, and GitLab…
StepSecurity Harden-Runner Now Secures GitHub Actions Workflows for Over 5,000 Open Source Projects
https://www.stepsecurity.io/blog/stepsecurity-harden-runner-secures-over-5-000-open-source-projects
Published: July 8, 2025 09:03
StepSecurity Harden-Runner secures over 5,000 open-source GitHub Actions workflows! Learn how it prevents CI/CD supply chain attacks, integrates with GitHub Checks, and provides real-time security insights.
Introducing Workflow Run Policies: Guardrails for Blocking Non-Compliant GitHub Actions Runs
https://www.stepsecurity.io/blog/introducing-workflow-run-policies-guardrails-for-blocking-non-compliant-github-actions-runs
Published: July 8, 2025 09:03
Workflow Run Policies enable you to block non-compliant GitHub Actions workflow runs, helping security and platform teams stop risky workflows before they execute
StepSecurity Is Now Available on AWS Marketplace
https://www.stepsecurity.io/blog/stepsecurity-is-now-available-on-aws-marketplace
Published: July 8, 2025 09:03
The StepSecurity App is now available on AWS Marketplace—simplifying procurement, deployment, and CI/CD security in one place
Evolving Harden-Runner’s disable-sudo Policy for Improved Runner Security
https://www.stepsecurity.io/blog/evolving-harden-runners-disable-sudo-policy-for-improved-runner-security
Published: July 8, 2025 09:03
harden-runner
PyTorch Supply Chain Compromise
https://www.stepsecurity.io/blog/pytorch-supply-chain-compromise
Published: July 8, 2025 09:03
Explore how a vulnerability in PyTorch's CI/CD pipeline exposed critical risks of self-hosted runners, enabling attacks on secrets, software releases, and cloud resources. Learn prevention strategies with StepSecurity's Harden Runner.
~ 2 additional posts are not shown ~