Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Critical Alert: Massive Supply Chain Attack Hits NPM Ecosystem

2025-09-16
Critical Alert: Massive Supply Chain Attack Hits NPM Ecosystem

Over 40 npm packages, including the popular @ctrl/tinycolor package (over 2 million weekly downloads), have been compromised in a sophisticated supply chain attack. The attacker used a self-propagating mechanism to infect downstream dependencies, causing a cascading compromise. The payload is a Webpack-bundled script that steals AWS, GCP, GitHub, and other cloud credentials and sensitive information, establishing persistence via GitHub Actions. The attack has resulted in widespread credential theft; immediate action is required to check affected packages and rotate all credentials.

Read more
(www.stepsecurity.io)
Development

GitHub Action Compromise: tj-actions/changed-files Injecting Malicious Code

2025-03-15
GitHub Action Compromise: tj-actions/changed-files Injecting Malicious Code

A critical security incident has compromised the tj-actions/changed-files GitHub Action, impacting over 23,000 repositories. Attackers retroactively modified multiple version tags to point to a malicious commit, exposing CI/CD secrets in public build logs. StepSecurity Harden-Runner detected this anomaly. The compromised Action executes a malicious Python script that dumps secrets from the Runner Worker process. Immediate action is required: stop using the affected Action and review build logs for leaked secrets.

Read more
(www.stepsecurity.io)
Development Malicious Code