StepSecurity

🚨 Active npm supply chain attack. 143 packages compromised in a single coordinated wave across the AntV (Alibaba) data visualization ecosystem, plus echarts-for-react, timeago.js, jest-canvas-mock, and others. Some ship over a million downloads per month. 🛡️ The C2 domain sits on the same infrastructure used in the actions-cool/* GitHub Actions compromise we reported earlier today. Every StepSecurity Harden-Runner customer, community tier and enterprise, was protected from second zero of this incident via our global block list. 🚨 We pushed a Threat Center alert to all StepSecurity enterprise customers with detection queries and remediation steps. Here's how StepSecurity Enterprise customers are protected at every stage of the software development pipeline: ⚙️ CI/CD pipelines 1️⃣ Outbound connections to the C2 domain are blocked automatically 2️⃣ Runner.Worker memory read detection flags attempts to dump CI/CD secrets 📦 Code Repositories 1️⃣ npm package search detects compromised packages in default branches and pull requests 2️⃣ npm cooldown and compromised package GitHub checks automatically block pull requests from being merged 💻 Dev Machine Guard 1️⃣ npm package search detects compromised packages installed on developer machines. 🔒 For all stages, StepSecurity Secure Registry blocks these compromised packages from even reaching your environment in the first place. https://t.co/egNcqXRLke

🚨 ACTIVE SUPPLY CHAIN ATTACK 🚨 The actions-cool/issues-helper GitHub Action is compromised. Every existing tag in the repo now points to an imposter commit that: ⬇️ Downloads the bun JS runtime 🧠 Reads Runner.Worker process memory to harvest CI/CD secrets in flight 📡 Exfiltrates credentials to t.m-kosche[.]com Any workflow referencing this action by version will pull the malicious code on its next run. If you use it: stop immediately, pin to a known-good commit SHA from before the compromise, and rotate any secrets exposed to recent runs. StepSecurity customers are already protected: 🛡 Real-time Threat Center alert with "Am I Affected?" links for every workflow and every runner that has talked to the IOC domain 🚫 Compromised Actions Policy blocks any run referencing this action before it executes 🌐 Harden-Runner Global Block List now blocks t.m-kosche[.]com automatically, even in audit mode, no config change required 🔍 Imposter Commit detection flags the exact signature of this attack Full advisory and IOCs: https://t.co/D0pYzREDDZ

🚨 BREAKING Nx Console VS Code Extension Compromised 🚨 Nx Console (nrwl.angular-console) v18.95.0, a VS Code extension with 2.2M+ installs, was published with malicious code on May 18, 2026. The compromised version executes an obfuscated credential stealing payload on workspace activation. If you use Nx Console, assume your machine is compromised and follow your incident response process. Our team is actively investigating and will keep the blog post updated as new details emerge: https://t.co/BaHLzPzP6d #SupplyChainSecurity #VSCode #CyberSecurity #DevSecOps

🚨 BREAKING: node-ipc compromised. Again. Three malicious versions of node-ipc (9.1.6, 9.2.3, 12.0.1) were published today carrying an identical credential-stealing payload. This package has 10M+ weekly downloads. Here's what happened: An attacker injected an 80KB obfuscated IIFE into the CommonJS bundle. It fires on every require('node-ipc') call. No special config needed, just importing the package is enough. What it steals: → AWS, Azure, GCP credentials → SSH private keys → Kubernetes configs → Docker tokens → GitHub CLI tokens → AI tool configs (including Claude) → Terraform state → 90+ credential file patterns in total Everything gets gzipped and exfiltrated to an attacker-controlled domain (sh[.]azurestaticprovider[.]net) via DNS TXT queries and HTTPS POST, designed to look like normal traffic. The attacker published across two major version lines simultaneously (9.x and 12.x) to maximize blast radius. Semver ranges like ^9, ~9.1.x, ~9.2.x, ^12, and ~12.0 all resolve to compromised versions automatically on the next install or lockfile refresh. Key details: Only the CommonJS bundle (node-ipc.cjs) is affected. ESM imports are clean. The 9.x releases are fabricated. The 9.x line never shipped a .cjs bundle before this attack. This is a different actor from the 2022 peacenotwar incident. Purely financial, credential-theft motivation. If you installed any of these versions, assume all secrets on that machine are compromised. Rotate everything. Our full technical breakdown covers the attack chain stage by stage, IOCs, and how to check if you're affected: https://t.co/l7m03coFQu

🚨 A Mini Shai-Hulud has appeared. Your npm install just handed your credentials to an attacker. We detected a new supply chain campaign targeting SAP developer packages. It downloads Bun (not Node) to run an 11 MB obfuscated payload. Victim repos are being created on GitHub as we speak. Full breakdown: https://t.co/j2GcVsgJWc