惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
LINUX DO - 热门话题
S
Secure Thoughts
TaoSecurity Blog
TaoSecurity Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threat Research - Cisco Blogs
AI
AI
B
Blog RSS Feed
S
Schneier on Security
雷峰网
雷峰网
Schneier on Security
Schneier on Security
Help Net Security
Help Net Security
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
罗磊的独立博客
有赞技术团队
有赞技术团队
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
P
Proofpoint News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
博客园 - Franky
Attack and Defense Labs
Attack and Defense Labs
The Cloudflare Blog
Webroot Blog
Webroot Blog
Last Week in AI
Last Week in AI
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 叶小钗
美团技术团队
L
Lohrmann on Cybersecurity
T
The Blog of Author Tim Ferriss
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Vercel News
Vercel News
Know Your Adversary
Know Your Adversary
O
OpenAI News
博客园 - 【当耐特】
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cybersecurity and Infrastructure Security Agency CISA
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
PCI Perspectives
PCI Perspectives
H
Heimdal Security Blog
I
InfoQ
GbyAI
GbyAI
T
Threatpost
C
Cisco Blogs

Step Security Blog

Announcing Dependabot Configuration Enhancements: Cooldown and Group Support - StepSecurity Securing Vibe Coding and AI Coding Agents: An End-to-End Approach with StepSecurity - StepSecurity Introducing StepSecurity Dev Machine Guard: Protecting Developer Machines from Supply Chain Attacks - StepSecurity Top 2024 Predictions for CI/CD Security - StepSecurity Dev Machine Guard Is Now Open Source: See What's Really Running on Your Developer Machine - StepSecurity hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far - StepSecurity Cline Supply Chain Attack Detected: cline@2.3.0 Silently Installs OpenClaw - StepSecurity StepSecurity’s Unified Protection Across the SDLC Infrastructure Threat Framework (SITF) - StepSecurity @velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence - StepSecurity axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack - StepSecurity 10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions - StepSecurity Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor - StepSecurity TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package - StepSecurity litellm: Credential Stealer Hidden in PyPI Wheel - StepSecurity Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags - StepSecurity CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem - StepSecurity Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised - StepSecurity bittensor-wallet 4.0.2 Compromised on PyPI - Backdoor Exfiltrates Private Keys - StepSecurity Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised - StepSecurity Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys - StepSecurity ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push - StepSecurity xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning - StepSecurity kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package - StepSecurity How StepSecurity Caught a Release Storm in Microsoft’s @types Packages - StepSecurity Harden Runner Now Supports Windows and macOS GitHub Actions Runners - StepSecurity 10,000 Open-Source Projects Now Secured by Harden-Runner Community-Tier: A Milestone Three Years in the Making - StepSecurity 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) - StepSecurity 2024 in Review: The Evolution of CI/CD Security & What's Next - StepSecurity How to Use Docker in Actions Runner Controller (ARC) Runners Securely - StepSecurity Celebrating 1000 Repositories Secured with Harden Runner: A Journey of Growth and Collaboration - StepSecurity StepSecurity Detects Early Supply Chain Risk Signals in kilocode npm - StepSecurity Another npm Supply Chain Attack: The 'is' Package Compromise - StepSecurity anthropics/claude-code-action Security: How to Secure Claude Code in GitHub Actions with Harden-Runner - StepSecurity Harden-Runner detection: tj-actions/changed-files action is compromised - StepSecurity StepSecurity's Catalog of Fixes - StepSecurity Orchestrating Security: StepSecurity's Impact on 400+ Repositories and Future Plans - StepSecurity Announcing Anomalous Outbound Call Detection Using Machine Learning - StepSecurity Announcing GitHub Actions Advisor and StepSecurity Maintained Actions - StepSecurity Analysis of Backdoored XZ Utils Build Process with Harden-Runner - StepSecurity Announcing General Availability of Harden Runner - StepSecurity Milestone Achieved: 2500+ Public Repositories Secured with Harden-Runner - StepSecurity Build secretless CI/CD pipelines using wait-for-secrets - StepSecurity Introducing Apps & PATs: Centralized Visibility for GitHub Apps and Personal Access Tokens - StepSecurity CVE-2026-22709: Critical Sandbox Escape Vulnerability in vm2 - StepSecurity StepSecurity Now Supports Dark Mode - StepSecurity 2025 in Review: The Evolution of Supply Chain Security & What's Next - StepSecurity Bake Harden-Runner Into GitHub's Custom Runner Images for Organization-Wide CI/CD Security - StepSecurity StepSecurity Is Now Available on Azure Marketplace - StepSecurity Critical Remote Code Execution Vulnerabilities Discovered in React Server Components and Next.js - StepSecurity How Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository - StepSecurity Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised - StepSecurity Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise - StepSecurity 9,000 Open-Source Projects Now Secured by Harden-Runner - StepSecurity Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages - StepSecurity Introducing npm Package Search: Find Where Any Package Was Introduced Across Your GitHub Organizations - StepSecurity StepSecurity Is Sponsoring GitHub Universe 2025 - StepSecurity s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware - StepSecurity Introducing StepSecurity Threat Intelligence: Real-Time Supply Chain Attack Alerts for Your SIEM - StepSecurity 8,000 Strong: Harden-Runner's Growing Impact on CI/CD Security - StepSecurity Securing Google Gemini in GitHub Actions with Harden-Runner - StepSecurity GhostAction Campaign: Over 3,000 Secrets Stolen Through Malicious GitHub Workflows - StepSecurity Introducing the NPM Package Cooldown Check - StepSecurity Securing GitHub Copilot in GitHub Actions with Harden-Runner - StepSecurity Calculate Your CI/CD Security ROI with StepSecurity's New ROI Calculator - StepSecurity How StepSecurity Harden Runner Detected Unexpected Microsoft Defender Installation on GitHub-hosted Ubuntu Runners - StepSecurity StepSecurity Harden Runner: Detect source code tampering during the build process - StepSecurity Suspicious Tag Movement in AWS’s GitHub Action: What Happened and Why It Matters - StepSecurity When 'Changed Files' Changed Everything: Our Black Hat 2025 Presentation on the tj-actions Supply Chain Breach - StepSecurity Lessons from AWS CodeBuild’s Memory-Dump Incident (CVE-2025-8217) - StepSecurity Supply Chain Security Alert: num2words PyPI Package Shows Signs of Compromise - StepSecurity When AI Meets CI/CD: Coding Agents in GitHub Actions Pose Hidden Security Risks - StepSecurity The GitHub Warning Everyone Ignores: 'This Commit Does Not Belong to Any Branch' - StepSecurity 8 GitHub Actions Secrets Management Best Practices to Follow - StepSecurity reviewdog GitHub Actions are compromised - StepSecurity 7,000 Open-Source Projects Now Secured by Harden-Runner - StepSecurity Replace Third-Party Actions with StepSecurity Maintained Actions via Automated Pull Requests - StepSecurity StepSecurity Is Now Available on AWS Marketplace - StepSecurity Introducing StepSecurity Artifact Monitor: Detect Unauthorized Software Releases in minutes, not months - StepSecurity Introducing Workflow Run Policies: Guardrails for Blocking Non-Compliant GitHub Actions Runs - StepSecurity Harden-Runner Detects New Traffic to release-assets.githubusercontent.com Across Multiple Customers - StepSecurity Grafana GitHub Actions Security Incident - StepSecurity Export Harden-Runner Security Insights and Detections to Amazon S3 - StepSecurity Evolving Harden-Runner’s disable-sudo Policy for Improved Runner Security - StepSecurity Announcing Policy-Driven Automated Pull Requests for CI/CD Misconfiguration Remediation - StepSecurity Announcing StepSecurity’s Integration with RunsOn: Secure and Optimized CI/CD Pipelines - StepSecurity Secure Repo Just Got Better: New Features for GitHub Actions Security Best Practices - StepSecurity Why Compliance Auditors Are Looking at Your CI/CD Runners - And How to Prepare - StepSecurity Harden-Runner Flags Anomalous Outbound Call, Leading to Docker Documentation Update - StepSecurity StepSecurity Harden-Runner Now Secures GitHub Actions Workflows for Over 5,000 Open Source Projects - StepSecurity GitHub Actions Pwn Request Vulnerability - StepSecurity Prevent Ultralytics Style CI/CD Security Attacks with Network Security Controls - StepSecurity PyTorch Supply Chain Compromise - StepSecurity Unified Network Egress View: Centralize GitHub Actions Network Destinations for Your Enterprise - StepSecurity Uniting Developers and Security: Celebrating the Success of 500+ Open Source Projects Using StepSecurity's Orchestration Platform - StepSecurity 5 Effective Third-Party GitHub Actions Governance Best Practices - StepSecurity StepSecurity Recognized Among CRN’s "10 Hottest DevOps Startups Of 2024" - StepSecurity Streamline Your GitHub Actions Workflows with StepSecurity’s Latest Feature - StepSecurity StepSecurity Steps Up the Security Game with SOC 2 Type 2 Compliance - StepSecurity StepSecurity's Alignment with CISA's CI/CD Security Guidance - StepSecurity
Datadog's DevSecOps 2026 Report Validates What We've Been Building - StepSecurity
2026-04-09 · via Step Security Blog

The data is in, and it validates the warnings StepSecurity has been sounding for years.

Datadog just released their State of DevSecOps 2026 report, analyzing tens of thousands of applications and their supply chain dependencies. The findings confirm a reality we've been documenting through real-world incident response: CI/CD pipelines and software supply chains remain dangerously underprotected, even as attackers increasingly target them.

We were invited to contribute our perspective to the report, and our co-founder Ashish Kurmi didn't hold back:

"GitHub Actions workflows routinely handle production credentials, generate release builds, and execute third-party code in highly privileged contexts, yet most organizations don't secure them with the same rigor they apply to production infrastructure. The major GitHub Actions compromises of 2025 made clear that attackers are systematically targeting this gap. Organizations need a first-principles approach to CI/CD security: understanding the blast radius of every workflow, monitoring runtime behavior, and treating build infrastructure as a high-value asset. That foundational thinking is what enabled early detection of attacks like tj-actions, Shai-Hulud, and s1ngularity, and it's what the industry needs to adopt broadly in 2026."

Ashish Kurmi, Co-founder, StepSecurity

The report lays out five key facts about the state of DevSecOps. Every single one maps to a risk that StepSecurity's platform is purpose-built to mitigate. Here's how.

Fact 1: 87% of organizations have known exploitable vulnerabilities in deployed services

The risk: Datadog found that 87% of organizations have at least one exploitable vulnerability, affecting 40% of all services. Java services lead at 59%, followed by .NET at 47% and Rust at 40%. A key driver is outdated language and runtime versions: 10% of services run on at least one end-of-life (EOL) version, and when they do, 50% of those services have an exploitable vulnerability compared to 37% when no EOL versions are in use.

How StepSecurity mitigates this risk: Exploitable vulnerabilities don't just live in production code. They enter the software supply chain through compromised dependencies, outdated libraries, and insecure build processes. StepSecurity's Harden-Runner provides runtime security for GitHub Actions workflows by monitoring network traffic, file system activity, and process behavior during every CI/CD run. If a compromised dependency attempts to exfiltrate data or make unauthorized network calls during the build process, Harden-Runner detects and (with egress-policy: block enabled) prevents it.

This means even if a vulnerable or compromised library makes it into a dependency tree, StepSecurity can catch malicious behavior at the point where it matters most: during the build and deployment pipeline, before it ever reaches production.

Let’s walk through this interactive demo to see how Harden-Runner works:

Dev Machine Guard extends supply chain protection to developer machines, where the risk often starts before code ever reaches a pipeline. With Local npm Monitoring, security teams gain full visibility into packages installed on every developer workstation across the organization, enabling rapid identification of compromised dependencies before vulnerable code enters a repository or pipeline.

Fact 2: Dependencies are 278 days behind their latest major version

The risk: The median dependency is now 278 days behind its latest major version, up from 215 days last year. Java is the worst offender at 492 days behind, followed by Ruby at 357 days. Datadog's research also shows that older libraries carry significantly more vulnerabilities: libraries published in 2023 average 3.8 vulnerabilities per service compared to 1.3 for those published in 2025. Services deployed less than once per month have dependencies that are 70% more outdated than those deployed daily.

How StepSecurity mitigates this risk: Outdated dependencies are a ticking time bomb, and part of the reason teams fall behind is that they lack visibility into what's actually in their dependency tree and whether it's safe to update. StepSecurity tackles this from the supply chain angle:

  • NPM Package Compromised Updates runs as a GitHub Check on every pull request, ensuring that no dependency update introduces a package that is known to be compromised. StepSecurity maintains an internal database of compromised packages updated in real time, often before an official CVE is published. This gives teams the confidence to update more frequently, knowing that malicious versions will be caught automatically.

  • NPM Package Search lets security teams search across their entire organization to identify where specific packages were introduced via pull requests. When a vulnerability is discovered in an older library version, this enables rapid identification of every affected repository so teams can prioritize updates where they matter most. Dev Machine Guard also plays a role here. Its NPM Package Search capability extends beyond repositories and pull requests to include developer machines, letting security teams identify where specific packages exist across the entire organization: in PRs, on default branches, and on local workstations. When an outdated dependency is found to contain a vulnerability, this complete visibility ensures no instance is missed during remediation.

  • Artifact Monitor provides continuous compliance monitoring for your own published artifacts, verifying that every version is tied to a trusted CI/CD release process. This ensures that your internal packages don't become a source of supply chain risk for your own teams or downstream consumers.

By removing the fear that updating could introduce a compromised package, StepSecurity helps break the cycle of dependency neglect that Datadog's data exposes.

Fact 3: 50% of organizations use libraries within a day of release

The risk: While Fact 2 shows organizations are too slow to update, Fact 3 reveals the opposite extreme: 50% of organizations use third-party libraries within a day of release, 12% use public AMI images, and 32% use public Docker images less than one day after release. This is the exact window where supply chain attacks like Shai-Hulud and s1ngularity do their damage. Datadog notes that 1.6% of organizations using npm have used at least one malicious dependency in the past year, representing potentially tens of thousands of organizations that executed malicious code.

How StepSecurity mitigates this risk: This is the exact problem that our Artifact Security suite and GitHub Checks were designed to prevent:

  • NPM Package Cooldown is a GitHub Check that automatically blocks any pull request that introduces a dependency published within a configurable waiting period (default: 2 days). If a PR tries to add a package that was published yesterday, the check fails automatically and passes on its own once the cooldown expires. No manual intervention required. Datadog recommends a one-week cooldown; StepSecurity lets you configure this to match your organization's risk tolerance. Since most supply chain attacks are discovered within the first 24 hours, even the default 2-day cooldown eliminates the vast majority of exposure.
  • NPM Package Compromised Updates provides a second layer of defense by blocking any dependency that is already known to be malicious. During the Shai-Hulud attack, this capability automatically flagged pull requests attempting to pull in the compromised versions and blocked them from merging, shielding customers from the attack entirely.
  • Threat Center serves as a central hub for tracking active supply chain compromises across open-source ecosystems. When an incident like Shai-Hulud breaks, security teams can investigate details and apply remediation steps directly within the StepSecurity dashboard instead of scrambling across multiple sources.

  • Harden-Runner provides the last line of defense at runtime. Even if a malicious package somehow enters a workflow, Harden-Runner detects anomalous behavior (unexpected network calls, unauthorized file access, secret exfiltration attempts) and can block it in real time. During the Shai-Hulud attack, Harden-Runner flagged the malicious behavior within minutes of publication, well before widespread exploitation began.
  • Dev Machine Guard extends these protections to developer workstations. Local npm Package Monitoring tracks every package installed on developer machines across the organization, whether installed by a human or an AI coding agent, giving security teams full visibility into exposure when a compromised package is detected (like those in the Shai-Hulud campaign that targeted developer machines specifically). Dev Machine Guard's NPM Package Search also extends beyond repositories to include developer machines, letting security teams identify where specific packages exist across the entire organization (in PRs, on default branches, and on local workstations) for complete blast-radius assessment during incidents.

Together, these capabilities create a layered defense: cooldown prevents premature adoption, compromised package checks block known threats, and runtime monitoring catches anything that slips through.

Fact 4: GitHub Actions are left vulnerable to supply chain attacks

The risk: Every organization using GitHub Actions uses at least one marketplace action, but only 4% pin the hash for all marketplace actions. A staggering 71% never pin the hash for any of their actions. Worse, 80% of organizations use at least one third-party marketplace action not managed by GitHub and not pinned to a commit hash, and 2% are actively running previously compromised actions without pinning. The tj-actions/changed-files compromise demonstrated exactly how devastating this can be: attackers injected a malicious payload that caused affected repositories to write secrets to workflow logs.

How StepSecurity mitigates this risk: GitHub Actions security has been our core focus since day one, and we offer the most comprehensive solution in the industry for this exact problem:

  • Orchestrate Security automatically pins GitHub Actions and container images to full-length commit SHAs across your repositories. This is the exact mitigation that both Datadog and GitHub recommend as the only way to prevent automatic updates to potentially compromised action versions. StepSecurity automates what 71% of organizations are currently failing to do manually.
  • StepSecurity Maintained Actions go a step further by providing curated, security-reviewed replacements for popular third-party actions. Every maintained action undergoes rigorous manual secure code review before onboarding, uses strict access controls with no persistent credentials, and has tag protection by default. This directly addresses the access control failures that enabled the tj-actions and reviewdog compromises. Enterprise customers can request onboarding of specific actions, and StepSecurity monitors upstream changes with defined SLAs for patching vulnerabilities.

  • GitHub Checks include dedicated controls for PWN Request detection (catching insecure pull_request_target configurations that can be exploited by malicious forked PRs) and Script Injection scanning (flagging workflows that use unsanitized external inputs). These checks catch the workflow-level vulnerabilities that attackers exploit to gain initial access.
  • Workflow Run Policies provide critical runtime controls for locking down which actions can execute in your environment. The Allowed Actions Policy lets you define an allowlist of approved GitHub Actions, ensuring only vetted actions can run across your organization. The Compromised Actions Policy automatically detects when a workflow attempts to use a known compromised action and cancels the run before it executes. For the 2% of organizations that Datadog found are still running compromised actions without pinning, these policies would immediately prevent those actions from executing.

Let’s walk through this interactive demo to see how Compromised Actions Policy works:

  • Harden-Runner provides the runtime monitoring layer that detected the tj-actions compromise in real time. By monitoring network activity and restricting unexpected behaviors during workflow execution, Harden-Runner catches compromised actions even when they pass all static checks. This is how StepSecurity detected attacks against Google's Flank project and Microsoft's Azure Karpenter Provider in real time.
  • Dev Machine Guard addresses the growing risk of AI-powered development workflows that interact with GitHub Actions. AI Agent Discovery automatically tracks all AI coding assistants (GitHub Copilot, Claude Code, Gemini CLI, and others) across your organization, and MCP Server Visibility monitors which Model Context Protocol servers are connecting AI agents to development tools, letting you prevent unapproved servers from being configured. As AI agents increasingly trigger and interact with GitHub Actions workflows, this visibility becomes essential to maintaining the security of your CI/CD environment.

The combination of automated pinning, maintained actions, workflow checks, and runtime monitoring means StepSecurity covers the full lifecycle of GitHub Actions security: prevention, detection, and response.

Fact 5: Most vulnerabilities should not page a human

The risk: Datadog found that only 18% of critical dependency vulnerabilities remain critical after adjusting severity scores with runtime context and CVE context. That means over 80% of "critical" alerts are effectively noise. The report also highlights that 98% of .NET dependency vulnerabilities are downgraded from critical, while 49% of PHP vulnerabilities stay critical. Over-prioritizing every vulnerability creates alert fatigue, diverts attention from real threats, and wastes developer time.

How StepSecurity mitigates this risk: Alert fatigue is a real problem, and it's compounded when security tools generate noise without context. StepSecurity's approach is built around actionable intelligence, not alert volume:

  • Harden-Runner focuses on detecting actual malicious behavior at runtime rather than flagging every theoretical vulnerability. When a dependency makes an unexpected network call or attempts to access files it shouldn't, that's a high-signal alert that demands attention. This runtime context is exactly what Datadog describes as the key to reducing false positives.
  • NPM Package Compromised Updates only blocks dependencies that are confirmed compromised, not every dependency with a CVE. StepSecurity's internal threat intelligence database is curated for accuracy, which means when a check fails, it's because there's a real, confirmed threat, not a theoretical one.
  • Threat Center provides curated intelligence about active supply chain compromises, giving security teams clear context about what's actually being exploited in the wild versus what's merely a scored vulnerability. This helps teams focus their limited time on the threats that pose genuine business risk.
  • Workflow Run Policies let organizations define and enforce security policies across all their GitHub Actions workflows, ensuring consistent security standards without requiring manual review of every workflow run.
  • Dev Machine Guard reduces noise from the developer machine side with IDE Extension Governance, which tracks all installed extensions across VSCode and Cursor with comprehensive risk scores. Security teams can implement approved extension lists and automatic cooldown periods for new releases, proactively filtering out risky extensions rather than reacting to incidents after the fact. This is directly relevant given attacks like the NX Build System compromise, where a VSCode extension silently ran malicious code at activation. Instead of alerting on every extension update, Dev Machine Guard lets you enforce policy and focus attention on genuinely risky changes.

By focusing on confirmed threats and actual malicious behavior rather than raw CVSS scores, StepSecurity helps security teams cut through the noise and respond to what truly matters.

Why This Matters Now More Than Ever

The DevSecOps landscape is evolving rapidly. AI coding agents like GitHub Copilot, Claude Code, and Gemini CLI are accelerating development velocity, which means CI/CD pipelines are running more frequently, handling more sensitive operations, and integrating more third-party code than ever before. Every risk that Datadog identified in this report is amplified by this acceleration.

As Ashish noted, the foundational thinking that enabled early detection of the major 2025 compromises (understanding blast radius, monitoring runtime behavior, treating CI/CD as critical infrastructure) is precisely what organizations need to scale alongside AI-assisted development.

That's the approach we've built StepSecurity around. Harden-Runner, now trusted by over 10,000 repositories including projects from Microsoft, Google, and Kubernetes, provides the runtime security foundation. Combined with our GitHub Checks, Artifact Security suite, Orchestrate Security, and Maintained Actions, we offer the industry's most comprehensive platform for securing CI/CD pipelines against every category of risk that Datadog's report identifies.

Get Started

Every risk in the Datadog report has a corresponding mitigation in the StepSecurity platform. Here's where to begin:

  1. Pin all GitHub Actions to commit SHAs with Orchestrate Security or adopt StepSecurity Maintained Actions for critical workflows.
  1. Enable NPM Package Cooldown via GitHub Checks to stop day-of-release dependency risk.
  1. Activate NPM Package Compromised Updates as a required check to block known malicious packages before they enter your codebase.
  1. Add Harden-Runner to your workflows for runtime monitoring and egress control.
  1. Monitor your blast radius with NPM Package Search and the Threat Center.

We've been building for this moment. The data now agrees.