Latest Posts

The StepSecurity App is now available on Azure Marketplace—simplifying procurement, deployment, and CI/CD security in one place.

Security researchers have uncovered severe unauthenticated remote code execution vulnerabilities in React Server Components and Next.js App Router that achieve near 100% exploitation success rates. With 39% of cloud environments running vulnerable versions and 44% having publicly exposed Next.js instances, immediate patching is critical. Organizations should upgrade to patched versions and use StepSecurity's npm package search and Threat Center to identify and monitor affected dependencies.

A case study on detecting npm supply chain attacks through runtime monitoring and baseline anomaly detection

The Shai-Hulud NPM Worm Returns as "Sha1-Hulud: The Second Coming" - Devastating Supply Chain Attack Compromises Zapier and ENS Ecosystems, Creates 22,000+ Malicious Repositories and counting

StepSecurity Harden-Runner now protects 9,000+ open-source projects, delivering real-time CI/CD runtime security and defending pipelines against modern supply chain attacks.

Instantly trace any npm package to its origin—across every repository, pull request, and contributor—with StepSecurity’s NPM Package Search.

We’re thrilled to announce that we are sponsoring GitHub Universe 2025 as a Bronze Sponsor — our very first booth at a major conference!

StepSecurity has launched Threat Intelligence, a real-time supply chain attack alerting system designed for seamless SIEM and SOC integration. Unlike generic vulnerability feeds, it delivers actionable intelligence within minutes of compromise, cutting MTTD and MTTR from days to minutes. Powered by the same detection systems that uncovered the tj-actions and nx compromises, it provides proven early-warning capabilities.