Latest Posts

A new wave of the Mini Shai-Hulud worm has compromised packages across Alibaba's AntV data visualization ecosystem, echarts-for-react, timeago.js, and dozens more. Stolen CI/CD secrets are being dumped to thousands of public GitHub repositories as the attack continues to spread.

The popular GitHub Action actions-cool/issues-helper has been compromised. Every existing tag in the repository has been moved to point to a single imposter commit that does not appear in the action's normal commit history. That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action.

Version 18.95.0 of the popular Nx Console extension (2.2M+ installs) was published with malicious code targeting developer credentials, cloud infrastructure tokens, and CI/CD secrets.

Active Supply Chain Attack: Malicious node-ipc Versions Published to npm StepSecurity has detected multiple malicious releases of the popular node-ipc npm package. Three versions are currently known to be compromised, containing an obfuscated payload designed to steal cloud credentials, SSH keys, and CI/CD secrets. Our team is actively analyzing the attack, and this post will be updated as our investigation progresses

Introducing Secure Registry by StepSecurity: install-time defense for the npm supply chain. Block malicious packages, enforce package cooldowns, and protect CI/CD pipelines, developer machines, and artifact managers from modern software supply chain attacks.

TeamPCP has launched a new wave of their Mini Shai-Hulud worm. The self-propagating malware, which spreads by stealing CI/CD secrets, compromised several @tanstack npm packages, collectively downloaded millions of times per week.

Twenty-nine hours after mbt@1.2.48 and @cap-js/sqlite@2.2.2 were compromised by the Shai-Hulud worm, a third major npm package has fallen: intercom-client@7.0.4, the official Node.js SDK for the Intercom customer messaging platform, with 361,510 weekly downloads — more than the two yesterday’s compromised packages combined. The malicious version was published today at 14:41 UTC via a hijacked GitHub Actions OIDC publishing pipeline, confirming the worm is actively propagating through CI/CD infrastructure stolen from yesterday’s victims.

On April 30, 2026, a supply chain compromise was identified in the lightning PyPI package — versions 2.6.2 and 2.6.3. The project’s GitHub account shows signs of compromise, with issues reporting the attack closed rapidly by suspicious responses.