






















Modern CI/CD pipelines are trusted to automate builds, tests, and releases. But recent incidents show that attackers can subvert these pipelines to silently publish unauthorized software versions. This compromises the integrity of open-source and enterprise projects alike.
Publishing credentials get compromised constantly. Developer accounts get hijacked, CI tokens are stolen, and publishing credentials leak into the wrong hands.
In the past three years, multiple confirmed supply chain attacks have shown how attackers bypass your entire CI/CD pipeline and publish malicious versions directly to registries like npm, Docker Hub, and PyPI.
In each of these cases, the attacker successfully introduced unauthorized software into official release channels, including Docker Hub, PyPI, and npm. To users, security tools, and downstream developers, the malicious versions appeared legitimate.
The consequences were significant: malicious containers were shipped from verified publishers and backdoored libraries were installed by unsuspecting users.
Worse, many of these attacks went undetected for days or even weeks, during which unauthorized versions were installed across thousands of environments.
But here’s the critical insight: if the affected projects had been using StepSecurity Artifact Monitor, these unauthorized releases could have been detected within minutes, and the damage from these supply chain attacks could have been prevented altogether. Unauthorized releases that bypass official CI/CD workflows are exactly what Artifact Monitor is designed to detect. The malicious versions would have been flagged immediately as non-compliant, alerting maintainers before users were impacted.
StepSecurity Artifact Monitor is a zero-friction solution that continuously monitors your software artifacts to detect unauthorized releases and ensure every version follows your official CI/CD process.
To understand how StepSecurity Artifact Monitor protects your ecosystem, it’s important to distinguish between two types of releases:
A compliant release is produced through a secure and auditable CI/CD pipeline. Here’s how it works:

This is how trusted software is typically shipped.
A non-compliant release skips the secure pipeline altogether:

This is exactly how recent high-impact supply chain attacks have succeeded — by injecting malicious or unverified artifacts into artifact registries without anyone noticing.
StepSecurity Artifact Monitor continuously observes your artifact registries and release pipelines to detect and respond to unauthorized software releases in real time. Here’s how it functions behind the scenes:
As soon as a new software version is published to a supported registry, such as npm, the system analyzes it immediately. This minimizes blind spots and ensures that even short-lived malicious versions are caught quickly.
Once a new release is identified, StepSecurity automatically traces its origin. It attempts tocorrelate the published artifact with a corresponding CI/CD workflow execution by validating build logs, commit SHAs, tags, and provenance metadata.
Each release is assigned one of two statuses based on this verification:
✅ Compliant
If the release was generated through a recognized and approved CI/CD pipeline, the artifact is marked as trusted. All key steps, such as commit, build, and publish, are confirmed and recorded.

Version 1.0.0 is compliant, as it was published through an approved workflow. The logs of the workflow run are available for review
⚠️ Non-Compliant
If no valid CI/CD pipeline execution is found, or if the release bypasses known workflows, StepSecurity flags it as unauthorized. An alert is immediately sent to your security team, including detailed diagnostics such as:

Version 1.1.0 was flagged as non-compliant because Artifact Monitor could not detect a matching workflow run associated with its release
Notifications are sent through your preferred communication channels, including Slack, email, or SIEM systems. This allows your team to respond quickly by revoking credentials, removing rogue packages, or notifying users before damage spreads.
Explore this feature in depth with our interactive demo:
StepSecurity Artifact Monitor is designed for DevSecOps teams that need robust protection without disrupting developer workflows.
Here’s what makes it effective:
Watches over artifact registries like npm, with support for Docker Hub, Amazon ECR, and PyPI coming soon. Every release is inspected, regardless of how it was published.
Confirms that each new version was published using your approved CI/CD processes. This check uses commit data, workflow history, and other trusted metadata sources.
Provides immediate notification for suspicious or unverified releases. This ensures that potential threats are caught before they can affect users or production environments.
Uses official provenance data when available and proprietary logic when it’s not. This results in highly accurate alerts without unnecessary noise.
Integrates with your current CI/CD pipelines without requiring any changes. Developers can continue working as usual while Artifact Monitoring runs silently in the background.
Want to see how StepSecurity Artifact Monitor works in practice?
Check out the official documentation for a full walkthrough of the feature
Prefer a hands-on experience? Try it yourself with our interactive demo:
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。