Introduction

Open-source supply chain attacks target the software dependencies your applications and CI/CD pipelines rely on. These attacks often use newly published packages, compromised maintainer accounts, or malicious install scripts to steal secrets, execute arbitrary code, or pivot deeper into your infrastructure.

Examples of such attacks include:

Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised - StepSecuritywww.stepsecurity.io

s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware - StepSecuritywww.stepsecurity.io

20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) - StepSecuritywww.stepsecurity.io

GhostAction Campaign: Over 3,000 Secrets Stolen Through Malicious GitHub Workflows - StepSecuritywww.stepsecurity.io

The OSS Supply Chain Security capabilities in StepSecurity cover dependencies from the npm and PyPI ecosystems, with a layered model built around three pillars:

Prevent – stop high risk dependencies and behaviors before they are introduced

Detect – continuously identify compromised packages and suspicious changes across your codebase

Respond – investigate incidents quickly and assess organization wide impact