Varun Sharma

🚨 A Mini Shai-Hulud has appeared. Your npm install just handed your credentials to an attacker. We detected a new supply chain campaign targeting SAP developer packages. It downloads Bun (not Node) to run an 11 MB obfuscated payload. Victim repos are being created on GitHub as we speak. Full breakdown: stepsecurity.io/blog/a-mini-sh…

🚨 Last week, North Korean state actors hijacked axios on npm. 300M+ weekly downloads. Turned into a remote access trojan. We just published the behind-the-scenes story of how we detected it, fought the threat actor in real time, and helped the community respond.

🚨 @poweredbyClubs your dev-protocol GitHub org has been compromised. Attackers are distributing fake Polymarket bots that steal wallet private keys via typosquatted npm packages. Details: stepsecurity.io/blog/malicious…

Live Analysis of Backdoored XZ Utils Build Process with StepSecurity Harden-Runner 📅Date & Time: May 22nd 2024, 9:30 am Pacific Time ➡️Register here: linkedin.com/events/7184238…

We're thrilled to announce @step_security joining OpenSSF! 👏 StepSecurity offers a platform that secures CI/CD infrastructure and pipelines against security attacks, trusted by over 2700 open source projects that use GitHub Actions. 💻

🎉We are thrilled to announce that StepSecurity has secured $3 million in seed #funding to protect CI/CD pipelines for open-source communities and enterprises! stepsecurity.io/blog/stepsecur…

🚀The @openssf (Open Source Security Foundation) recently announced StepSecurity as one of its newest members alongside leading technology, aerospace, and security firms!

Read how I used a custom scanner to discover a GitHub Actions vulnerability hiding in plain sight for 3 years in a Google OSS repository and earned a $7,500 💰 #bugbounty! adnanthekhan.com/2024/04/15/an-…

Yesterday security researchers detailed how a CI/CD supply chain vulnerability could have compromised the Bazel project. Check out this case study on how the Bazel Project defended against this CI/CD Supply Chain Vulnerability with StepSecurity. stepsecurity.io/case-studies/b…

@infernosec @PyTorch @GitHubSecurity I am a big fan of @adnanthekhan and team's research on CI/CD. Novel approach to use additional runner to evade detection from EDRs/ firewalls. We will soon be adding support for HTTPs inspection to github.com/step-security/… to detect such cases.

This supply chain attack on @PyTorch shows an insecure use of custom/self-hosted github runners and insecure default config ("Require approval for first-time contributors"; anyone can submit a typo fix) gone wrong together. @GitHubSecurity - have you considered changing default to "Require approval for all outside collaborators" for custom runner usecases? - johnstawinski.com/2024/01/11/pla…

🚨 Worried about risks of third-party #GitHubActions? Risky third-party GitHub Actions can lead to #supplychainattacks! Join our #webinar to gain practical knowledge on securing third-party Actions. When: 30th Jan 2024, 10 am Pacific Time Register Now! us06web.zoom.us/webinar/regist…

@wolfeidau Did you explore the Dependabot grouped version updates? I wonder if that solves this problem...github.blog/changelog/2023…

Been looking for a way to update pinned github actions I am using in my workflows as per hardening recommendations #using-third-party-actions" target="_blank" rel="nofollow noopener">docs.github.com/en/actions/sec… Sick of dependbot updates, just want "upgrade a pipeline". Building on existing libs, I wrote. github.com/wolfeidau/gith… #github #security

🎉Thrilled to see @Intel’s dffml project leveraging StepSecurity to automate #GitHubActions Security best practices. The automated pull request modified 25 source code files and was merged by the Intel developer without any changes! #CICD #CyberSecurity

🚀 Kickstarting 2024 on a high with another big name using the StepSecurity #GitHub Actions Security Automation platform! @GetPermify is a Google Zanzibar based open-source authorization service for creating and managing granular permissions in your applications and services.

Do you find it difficult to implement and track all the GitHub Actions security best practices? If yes, you need to check out the latest StepSecurity blog post that has a checklist of all the best practices you should be adhering to. stepsecurity.io/blog/github-ac…

🚀 Thrilled to see @awscloud using @step_security GitHub Actions Security automation platform! Here is how we helped them automate GitHub Actions Security. github.com/aws/aperf/pull…

Interesting tool of the week: github.com/step-security/… by @step_security We like: Protects runner workflows from exfiltration-style attacks by providing network observability for the runtime environment. Monitors files, process & network activity

📢 Press release of our GitHub Actions Security Platform! While many of you are already familiar with its prowess — given its adoption by over 1,200 open-source projects and numerous enterprises — today, we formally put it in the spotlight. prnewswire.com/news-releases/…

⚗️ github-actions-goat Deliberately Vulnerable GitHub Actions CI/CD Environment. github.com/step-security/…

🔐Excited to announce 'GitHub Actions Goat' - an educational project that simulates security attacks and vulnerabilities in a CI/CD environment and shows how to defend against such attacks. All you need to follow the tutorials is your GitHub Account! stepsecurity.io/blog/github-ac…