Live

Intelligence Feed

Latest threat intelligence articles from trusted security sources, auto-processed to extract entities, IoCs, and TTPs.

Filtered by source: step-security Clear filter
Mastra npm Supply Chain Attack: 140+ Packages Backdoored via easy-day-js Typosquat

2w ago · step-security

On June 17, 2026, a supply chain attack compromised the @mastra npm organization, resulting in 140+ packages being backdoored through the malicious dependency easy-day-js@1.11.22. This package, a typosquat of the legitimate 'dayjs' library, contained an obfuscated postinstall dropper that fetched and executed a second-stage payload from attacker-controlled infrastructure. The attack targeted high-value AI development environments, aiming to harvest sensitive credentials such as API keys and cloud tokens, with over 1.1 million weekly downloads exposed.

11 IoCs
codfish/semantic-release-action GitHub Action has been compromised

3d ago · step-security

On June 24, 2026, the codfish/semantic-release-action GitHub Action was compromised via a force-push to a malicious commit, which redirected multiple version tags to execute attacker-controlled code. The malicious payload steals GitHub OIDC and Personal Access Tokens, uses GitHub API commit messages as a C2 channel, and propagates by poisoning AI coding assistant configurations and publishing malicious packages to npm, PyPI, and RubyGems. It also performs lateral movement via SSH and evades detection by using legitimate GitHub infrastructure for exfiltration.

11 IoCs
simonecorsi/mawesome GitHub Action has been compromised

3d ago · step-security

On June 24, 2026, the simonecorsi/mawesome GitHub repository was compromised by an attacker who force-pushed malicious commits and repointed several version tags to execute attacker-controlled code within GitHub Actions runners. This allowed the attacker to potentially gain access to any workflow running against the affected tags. The attack resembles a prior compromise of the codfish/semantic-release-action repository.

2 IoCs
Maven Support Comes to GitHub Checks and OSS Package Search

3d ago · step-security

The Java ecosystem is increasingly targeted by supply chain attacks, as demonstrated by the Shai-Hulud worm's second wave and a malicious lookalike of the Jackson JSON library published to Maven Central. These attacks leverage compromised or freshly published dependencies to deliver payloads such as Cobalt Strike, exploiting the window between publication and detection. Traditional vulnerability scanners are often too slow to respond, making real-time protection critical. StepSecurity now extends its Maven support to GitHub Checks and OSS Package Search to block compromised and newly published malicious Java dependencies during pull requests.

1 IoCs 2 Malware
Multiple @immobiliarelabs Backstage Plugins Compromised on npm

3d ago · step-security

Multiple npm packages maintained by Immobiliare Labs were compromised on June 26, 2026, with malicious versions published across all major release lines simultaneously. The backdoored packages execute a credential-stealing payload during installation via a binding.gyp node-gyp hook, bypassing traditional postinstall detection. The payload harvests secrets from CI/CD environments, cloud providers, and package registries, and attempts persistence in AI coding assistant configurations. This activity is linked to the Miasma campaign, known for supply chain worm behavior and evasion techniques using the Bun runtime.

25 IoCs
Secure Registry now tells you which machine pulled a compromised package

3d ago · step-security

On June 17, 2026, an attacker compromised the @mastra npm organization and introduced a typosquatted package, easy-day-js, into over 140 packages in the Mastra AI framework ecosystem. The malicious package executed an obfuscated postinstall dropper that retrieved a second-stage payload from an attacker-controlled server before deleting itself. This supply chain attack exposed more than 1.1 million weekly downloads, highlighting the need for rapid incident response and source attribution to determine affected systems.

3 IoCs
10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions

3d ago · step-security

In March 2026, the threat actor TeamPCP compromised 76 version tags of the aquasecurity/trivy-action GitHub Action by injecting a credential stealer, exploiting elevated privileges to harvest secrets from memory and exfiltrate them to a malicious domain. The same actor targeted other platforms including PyPI packages litellm and telnyx, and previously compromised the Checkmarx KICS GitHub Action using similar tactics. These supply chain attacks highlight a broader trend of targeting CI/CD pipelines to steal credentials and cloud tokens. The attacks leveraged typosquatted domains and memory scraping techniques, underscoring the need for layered defenses in GitHub Actions environments.

2 IoCs 1 Actors 1 CVEs
StepSecurity Maintained Actions Are Now Free for Public Repos

2d ago · step-security

In March 2025, the tj-actions/changed-files GitHub Action, used by over 23,000 repositories, was compromised in a supply chain attack that exfiltrated CI/CD secrets via malicious code injected through tampered version tags. StepSecurity detected the incident using its Harden-Runner tool and provided a secure, drop-in replacement, step-security/changed-files, which has since been adopted by thousands of projects. This event highlighted the risks of relying on unmaintained third-party GitHub Actions and led StepSecurity to make its catalog of 500+ maintained, security-hardened actions freely available for public repositories to improve overall CI/CD security across the open-source ecosystem.

2 IoCs 1 CVEs