appsec.fyi · Sources

stepsecurity.io

7 curated AppSec resources from stepsecurity.io across 1 topics on appsec.fyi.

stepsecurity.io

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-02.

Supply Chain 7
Date Added Resource Excerpt
2026-06-02 2026Multiple redhat-cloud-services npm Packages compromisedSupply ChainLibrary analyzing multiple @redhat-cloud-services npm packages compromised with malware, executing on install before application code. The payload uses ROT-21, AES-128-GCM, obfuscator.io, and a B5 cipher to evade detection and harvest secrets from GitHub Actions, AWS, GCP, Azure, Kubernetes, Vault, npm, and CircleCI. It also acts as a self-propagating worm, using stolen npm tokens and `bypass_2fa` to republish backdoored packages. Analysis involved static and dynamic techniques, including StepSecurity Harden-Runner.
2026-05-23 2026Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI SecretsSupply ChainWriteup of the laravel-lang supply chain attack where a single actor rewrote all git tags across four popular Composer packages, including `laravel-lang/lang` and `laravel-lang/http-statuses`, to point to malicious commits. These commits added `src/helpers.php` to the `autoload.files` map, executing a payload upon application startup. The payload contacted `flipboxstudio.info`, dropped a PHP loader and ELF binary in `/tmp`, exfiltrated runner environment data, and then self-deleted. This technique bypassed standard version pinning, making pre-May 22, 2026 commit SHAs the only safe option.
2026-05-21 20265 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not EnoughSupply ChainLibrary for securing the software supply chain, this resource details five distinct attacks in 48 hours targeting VS Code extensions, GitHub Actions, npm packages, and PyPI. It highlights how traditional tools like SCA and SAST fall short, failing to monitor CI/CD runtime or developer machines. The library offers runtime security for CI/CD, visibility into developer workstations, and ecosystem-wide threat intelligence to address these multi-layered threats.
2026-05-14 2026Active Supply Chain Attack: Malicious node-ipc Versions Published to npmSupply ChainTool detailing the node-ipc supply chain attack where malicious versions 9.1.6, 9.2.3, and 12.0.1 were published to npm. The attack, executed by a rogue maintainer, injected an obfuscated payload into the CommonJS bundle designed to steal over 90 categories of credentials and exfiltrate them to an attacker-controlled server. Version 12.0.1 includes a specific targeting gate based on the module's file path hash.
2026-04-22 2026litellm: Credential Stealer Hidden in PyPI WheelSupply ChainLibrary detailing a supply chain compromise within the litellm Python package. Versions 1.82.7 and 1.82.8 were found to contain a malicious payload that harvests credentials, encrypts them using AES-256 and RSA-4096, and exfiltrates them to an attacker-controlled domain. The compromise leveraged two distinct injection techniques: a `.pth` file in version 1.82.8, and an embedded base64 blob in `proxy_server.py` for version 1.82.7. This attack potentially gained initial access through a pivot from a compromise of the Trivy tool used in litellm's CI/CD pipeline.
2026-04-11 2026Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM PackagesSupply ChainLibrary for detecting and analyzing the Shai-Hulud worm, which compromised over 500 NPM packages including @ctrl/tinycolor. This attack featured self-propagation via `NpmModule.updatePackage`, credential harvesting using TruffleHog and cloud SDKs for AWS, GCP, and Azure, and persistence mechanisms involving GitHub Actions workflows. The malware specifically targeted Linux and macOS environments, exfiltrating secrets like GitHub tokens and AWS access keys.
2026-04-07 2026Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain AttackSupply ChainAnalysis of the largest npm supply chain attack detailing StepSecurity's real-time detection of a compromised axios package. The incident involved a state-sponsored actor hijacking the popular HTTP client, inserting a malicious dependency, and actively deleting GitHub issues to conceal the compromise. StepSecurity utilized its AI Package Analyst and Harden-Runner to identify suspicious indicators and anomalous network activity, enabling rapid notification and remediation efforts for customers.