StepSecurity

🚨 Last week, North Korean state actors hijacked axios on npm. 300M+ weekly downloads. Turned into a remote access trojan. We just published the behind-the-scenes story of how we detected it, fought the threat actor in real time, and helped the community respond.

🚨 BREAKING: node-ipc compromised. Again. Three malicious versions of node-ipc (9.1.6, 9.2.3, 12.0.1) were published today carrying an identical credential-stealing payload. This package has 10M+ weekly downloads. Here's what happened: An attacker injected an 80KB obfuscated IIFE into the CommonJS bundle. It fires on every require('node-ipc') call. No special config needed, just importing the package is enough. What it steals: → AWS, Azure, GCP credentials → SSH private keys → Kubernetes configs → Docker tokens → GitHub CLI tokens → AI tool configs (including Claude) → Terraform state → 90+ credential file patterns in total Everything gets gzipped and exfiltrated to an attacker-controlled domain (sh[.]azurestaticprovider[.]net) via DNS TXT queries and HTTPS POST, designed to look like normal traffic. The attacker published across two major version lines simultaneously (9.x and 12.x) to maximize blast radius. Semver ranges like ^9, ~9.1.x, ~9.2.x, ^12, and ~12.0 all resolve to compromised versions automatically on the next install or lockfile refresh. Key details: Only the CommonJS bundle (node-ipc.cjs) is affected. ESM imports are clean. The 9.x releases are fabricated. The 9.x line never shipped a .cjs bundle before this attack. This is a different actor from the 2022 peacenotwar incident. Purely financial, credential-theft motivation. If you installed any of these versions, assume all secrets on that machine are compromised. Rotate everything. Our full technical breakdown covers the attack chain stage by stage, IOCs, and how to check if you're affected: stepsecurity.io/blog/node-ipc-…

🚨 ACTIVE INCIDENT: The Mini Shai-Hulud worm is back, and it just compromised dozens of official @tanstack npm packages This is the first documented self-spreading npm worm that carries valid SLSA provenance attestations. Let that sink in. Our OSS Package Security Feed detected the compromised releases and we're tracking the spread in real time. Here's what happened: The attacker staged an obfuscated 2.3 MB credential-stealing payload in a fork of TanStack/router, then used hijacked OIDC tokens to publish malicious versions through TanStack's own legitimate GitHub Actions release pipeline. The compromised packages include @tanstack/react-router, @tanstack/router-core, @tanstack/react-start, and 40+ other packages. Millions of weekly downloads across the ecosystem. If you installed any affected version in CI, assume all secrets in that environment are compromised. Rotate tokens immediately. Full technical analysis, IOCs, compromised version list, and recovery steps on our blog. The list of affected packages is still growing. stepsecurity.io/blog/mini-shai…

Our co-founders Varun Sharma and Ashish Kurmi are heading back to @Microsoft next week, this time as speakers at BlueHat Redmond. Both started their security careers at Microsoft, so it's a full-circle moment. If you'll be there, stop by and say hi!

🚨 A Mini Shai-Hulud has appeared. Your npm install just handed your credentials to an attacker. We detected a new supply chain campaign targeting SAP developer packages. It downloads Bun (not Node) to run an 11 MB obfuscated payload. Victim repos are being created on GitHub as we speak. Full breakdown: stepsecurity.io/blog/a-mini-sh…

The full behind-the-scenes story, the frantic evening, the deleted issues, the community rallying at midnight, is on our blog. Read it here: stepsecurity.io/blog/behind-th…

→ @karpathy shared our blog on X, calling it the "more comprehensive article" → @firaborjmshi featured our analysis. 624K+ views. → Hit #1 on Hacker News for hours

🚨 Last week, North Korean state actors hijacked axios on npm. 300M+ weekly downloads. Turned into a remote access trojan. We just published the behind-the-scenes story of how we detected it, fought the threat actor in real time, and helped the community respond.

🚨 @poweredbyClubs your dev-protocol GitHub org has been compromised. Attackers are distributing fake Polymarket bots that steal wallet private keys via typosquatted npm packages. Details: stepsecurity.io/blog/malicious…

Hackerbot-Claw: AI Bot Exploiting GitHub Actions – Microsoft, Datadog Hit So Far Full breakdown of the 5 attack techniques with evidence: stepsecurity.io/blog/hackerbot…

5/5 This is the second CI/CD supply chain attack detected by Harden-Runner in 2024. Earlier, it caught an exploit in Google’s open-source project, Flank. Check out the full case study and video of the Azure Karpenter project for all the details: stepsecurity.io/case-studies/a…

4/5 We’re honored to be recognized on Microsoft’s acknowledgment portal for our contribution to securing their online services. Following this exploit, the repository now uses Harden-Runner in block mode, preventing unauthorized outbound calls that aren't on the allowed list.🙌

1/5 All #GitHub Actions workflows in the @Microsoft Azure Karpenter Provider project have been secured with StepSecurity’s Harden-Runner since January 2024. Here's how Harden-Runner detected a potential supply chain attack in real-time. 👇

& ease of integrating third-party tools directly from the GitHub Actions Marketplace. 📢We've just published a blog post on migrating from Jenkins to #GitHub Actions. If you're considering making the switch, check out our latest blog: stepsecurity.io/blog/jenkins-t…

❗Several of our enterprise customers adopted StepSecurity when they were migrating from Jenkins to GitHub Actions. In our conversations, we’ve noticed many enterprises are making the move from #Jenkins to #GitHubActions for its streamlined workflows, robust #security features..

🛠️ Our latest blog post covers everything you need to know about pinning, like: ✅Why you need to pin GitHub Actions ✅Guide to manually pin GitHub Actions ✅Best practices for pinning ✅Challenges, solutions & tools for pinning ✅ Automatic pinning with StepSecurity

🔒 Did you know unpinned actions can lead to security risks in your GitHub workflows? Unpinned #GitHub Actions expose your workflows to vulnerabilities and #supplychainattacks.