The popular @ctrl/tinycolor package with over 2 million weekly downloads has been compromised alongside 40+ other NPM packages in a sophisticated supply chain attack. The malware self-propagates across maintainer packages, harvests AWS/GCP/Azure credentials using TruffleHog, and establishes persistence through GitHub Actions backdoors - representing a major escalation in NPM ecosystem threats.| www.stepsecurity.io
Close the CI/CD Security Gap. Enhance GitHub Actions Security with StepSecurity Maintained Actions and robust runner runtime security with network egress filtering| www.stepsecurity.io
We are currently investigating a potential supply chain security incident involving the eslint-config-prettier npm package. This widely-used package, which helps developers maintain consistent code formatting by turning off ESLint rules that conflict with Prettier, appears to have had multiple versions published with suspicious modifications.| www.stepsecurity.io
tj-actions/changed-files| www.stepsecurity.io
