StepSecurity
Coverage of StepSecurity in the Nexus archive.
- 144 Mastra npm Packages Compromised via Hijacked Contributor Account
144 npm packages under the Mastra namespace (@mastra/*) were compromised in a supply chain attack named easy-day-js. A single npm account (ehindero) was used to mass-publish malicious packages, according to findings from JFrog, SafeDep, Socket, and StepSecurity.
- Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets
Cybersecurity researchers found malicious activity in three versions of node-ipc, specifically [email protected], [email protected], and [email protected], which target developer secrets. The affected npm packages are part of the node-ipc library. This discovery raises concerns about the security of developer tools.
- Cache-poisoning caper turns TanStack npm packages toxic
An attacker published 84 malicious versions of TanStack npm packages, leading to credential theft and disk wipe, as part of a wave of attacks across npm and PyPI. The attack was detected within 30 minutes by StepSecurity, triggering incident response and npm deprecation. GitHub has published a security advisory with recommended actions.
- PyTorch Lightning Compromised in PyPI Supply Chain Attack to Steal Credentials
Threat actors compromised the PyTorch Lightning Python package, publishing malicious versions 2.6.2 and 2.6.3 on April 30, 2026, to steal credentials. Security firms Aikido Security, Socket, and StepSecurity reported the attack, which is part of an ongoing supply chain campaign.
- SAP npm Packages Compromised by “Mini Shai-Hulud” Credential-Stealing Malware
Cybersecurity researchers have identified a supply chain attack campaign targeting SAP-related npm packages with the 'Mini Shai-Hulud' credential-stealing malware. Multiple security firms, including Aikido Security, SafeDep, Socket, StepSecurity, and Wiz, reported the compromise affecting SAP's JavaScript and cloud application packages.
- Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens
Cybersecurity researchers have identified compromised npm packages delivering a self-propagating worm that steals developer tokens to spread through supply chains. The worm, named CanisterSprawl by Socket and StepSecurity, uses an ICP canister to exfiltrate stolen data.