Introducing StepSecurity Artifact Monitor: Detect Unauthorized Software Releases in minutes, not months

Modern CI/CD pipelines are trusted to automate builds, tests, and releases. But recent incidents show that attackers can subvert these pipelines to silently publish unauthorized software versions. This compromises the integrity of open-source and enterprise projects alike.

Publishing credentials get compromised constantly. Developer accounts get hijacked, CI tokens are stolen, and publishing credentials leak into the wrong hands.

In the past three years, multiple confirmed supply chain attacks have shown how attackers bypass your entire CI/CD pipeline and publish malicious versions directly to registries like npm, Docker Hub, and PyPI.

• Kong incident - the attacker exploited a GitHub Actions workflow to steal a CI token. They then used that token to publish a malicious Docker image of the Kong Ingress Controller. The backdoored version, labeled v3.4.0, was published to Kong’s official Docker Hub account. It remained publicly available for several days before detection.

• Ultralytics incident - the adversary manipulated a GitHub Actions release workflow to push cryptominer-injected packages to PyPI. They later used a compromised PyPI token, which was stolen from the same CI environment, to publish additional unauthorized versions under the project’s name.

• xrpl.js incident - a Ripple developer’s npm account was compromised to publish five backdoored versions of the official XRP Ledger SDK. The malicious versions included a hidden function designed to exfiltrate users’ private keys and wallet seeds. These versions, which were indistinguishable from legitimate releases, were available on npm and downloaded by unsuspecting users before being taken down.

In each of these cases, the attacker successfully introduced unauthorized software into official release channels, including Docker Hub, PyPI, and npm. To users, security tools, and downstream developers, the malicious versions appeared legitimate.

The consequences were significant: malicious containers were shipped from verified publishers and backdoored libraries were installed by unsuspecting users.

Worse, many of these attacks went undetected for days or even weeks, during which unauthorized versions were installed across thousands of environments.

But here’s the critical insight: if the affected projects had been using StepSecurity Artifact Monitor, these unauthorized releases could have been detected within minutes, and the damage from these supply chain attacks could have been prevented altogether. Unauthorized releases that bypass official CI/CD workflows are exactly what Artifact Monitor is designed to detect. The malicious versions would have been flagged immediately as non-compliant, alerting maintainers before users were impacted.

Introducing StepSecurity Artifact Monitor

StepSecurity Artifact Monitor is a zero-friction solution that continuously monitors your software artifacts to detect unauthorized releases and ensure every version follows your official CI/CD process.

Compliant vs. Non-Compliant Releases

To understand how StepSecurity Artifact Monitor protects your ecosystem, it’s important to distinguish between two types of releases:

Compliant Release

A compliant release is produced through a secure and auditable CI/CD pipeline. Here’s how it works:

1. Source code is committed to your repository.

2. A CI/CD workflow builds the artifact, runs tests, enforces policies, and signs the result.

3. Only after successful validation, the artifact is published to your package registry (e.g., Docker Hub, PyPI, npm).

4. A corresponding release (e.g., GitHub Release, tag) is created .

This is how trusted software is typically shipped.

Non-compliant Release

A non-compliant release skips the secure pipeline altogether:

1. Code — or arbitrary binaries — are pushed directly to a registry without triggering a CI/CD process.

2. The artifact appears as a new release, but there is no associated build log or release tag from your CI.

3. Often, these uploads are made through compromised developer or CI credentials.

This is exactly how recent high-impact supply chain attacks have succeeded — by injecting malicious or unverified artifacts into artifact registries without anyone noticing.

How StepSecurity Artifact Monitor Works

StepSecurity Artifact Monitor continuously observes your artifact registries and release pipelines to detect and respond to unauthorized software releases in real time. Here’s how it functions behind the scenes:

Real-Time Tracking

As soon as a new software version is published to a supported registry, such as npm, the system analyzes it immediately. This minimizes blind spots and ensures that even short-lived malicious versions are caught quickly.

CI/CD Verification

Once a new release is identified, StepSecurity automatically traces its origin. It attempts tocorrelate the published artifact with a corresponding CI/CD workflow execution by validating build logs, commit SHAs, tags, and provenance metadata.

Each release is assigned one of two statuses based on this verification:

✅ Compliant

If the release was generated through a recognized and approved CI/CD pipeline, the artifact is marked as trusted. All key steps, such as commit, build, and publish, are confirmed and recorded.

Version 1.0.0 is compliant, as it was published through an approved workflow. The logs of the workflow run are available for review

⚠️ Non-Compliant

If no valid CI/CD pipeline execution is found, or if the release bypasses known workflows,  StepSecurity flags it as unauthorized. An alert is immediately sent to your security team, including detailed diagnostics such as:

• Registry and version information

• Detection timestamp

• Verification failure reason

• Recommended response actions

Version 1.1.0 was flagged as non-compliant because Artifact Monitor could not detect a matching workflow run associated with its release

Immediate Alerts

Notifications are sent through your preferred communication channels, including Slack, email, or SIEM systems. This allows your team to respond quickly by revoking credentials, removing rogue packages, or notifying users before damage spreads.

Explore this feature in depth with our interactive demo:

Key Features & Benefits

StepSecurity Artifact Monitor is designed for DevSecOps teams that need robust  protection without disrupting developer workflows.  

Here’s what makes it effective:

Continuous Monitoring

_Watches over artifact registries like npm, with support for Docker Hub, Amazon ECR, and PyPI coming soon. Every release is inspected, regardless of how it was published.

Automated Verification

Confirms that each new version was published using your approved CI/CD processes. This check uses commit data, workflow history, and other trusted metadata sources.

Instant Alerts

Provides immediate notification for suspicious or unverified releases. This ensures that potential threats are caught before they can affect users or production environments.

Zero False Positives

Uses official provenance data when available and proprietary logic when it’s not. This results in highly accurate alerts without unnecessary noise.

No Developer Effort Needed

Integrates with your current CI/CD pipelines without requiring any changes. Developers can continue working as usual while Artifact Monitoring runs silently in the background.

Learn More

Want to see how StepSecurity Artifact Monitor works in practice?

Check out the official documentation for a full walkthrough of the feature

Prefer a hands-on experience? Try it yourself with our interactive demo: