Latest Posts

StepSecurity has detected a new npm supply chain attack campaign using preinstall hooks to download the Bun JavaScript runtime and execute an 11 MB obfuscated payload. At least two SAP-ecosystem packages are confirmed compromised so far.

A malicious version of elementary-data (0.23.3) was published to PyPI and is, at the time of writing, still listed as the latest release. The same release run also pushed a multi-arch container image to GitHub Container Registry at ghcr.io/elementary-data/elementary, tagged both 0.23.3 and latest.

@bitwarden/cli@2026.4.0 — the official command-line interface for the Bitwarden password manager — was found compromised on npm. A malicious preinstall hook silently bootstraps the Bun JavaScript runtime and launches a 9.7 MB obfuscated credential stealer that targets developer secrets, GitHub Actions environments, and — explicitly — AI coding tool configurations including ~/.claude.json and MCP server configs. All stolen data is encrypted with AES-256-GCM and exfiltrated to audit.checkmarx.cx, a domain impersonating the legitimate security company Checkmarx. When GitHub tokens are found, the malware weaponizes them to inject malicious workflows into repositories and extract CI/CD secrets — turning a single compromised developer machine into a supply chain attack pivot point.

Versions 2.6.0, 2.6.1, and 2.6.2 of xinference shipped a two-stage credential stealer that harvests SSH keys, cloud credentials, and environment variables on import. StepSecurity attributes the campaign to TeamPCP, the same actor behind the recent litellm and telnyx PyPI compromises.

On April 21, 2026, malicious versions of pgserve were published to npm. pgserve is an embedded PostgreSQL server for development — zero config, auto-provisioned databases, designed to be dropped into any Node.js project. The compromised versions (1.1.11, 1.1.12, and 1.1.13) inject a 1,143-line credential-harvesting script that runs via postinstall on every npm install.

Dev Machine Guard now scans IDE extensions across VS Code, Cursor, Windsurf, JetBrains IDEs, Android Studio, Eclipse, and Xcode on macOS, Windows, and Linux. Get a unified inventory, extension risk scoring, typosquat detection, and compromised extension visibility across your entire developer fleet.

Dev Machine Guard now supports Windows, giving security teams full visibility into Windows and macOS developer machines. Detect AI coding agents, IDE extensions, MCP servers, npm packages, and compromised dependencies across your developer fleet from a single dashboard.

StepSecurity adds cooldown and group support for Dependabot configuration, giving teams control over update frequency and PR batching across npm, pip, Docker, and GitHub Actions. Reduce alert fatigue. Merge more patches. Strengthen your supply chain.