Latest Posts

AI coding agents install packages, create pull requests, push commits, and run autonomously in CI/CD pipelines. Here's how to secure every stage of that workflow

StepSecurity' detected that cline@2.3.0 was published with a malicious post-install script that silently installs OpenClaw on any machine running npm install. Here's how the attack worked, how we caught it, and what you should do if you're affected.

How StepSecurity delivers real-world protection across all critical pillars identified in Wiz's SDLC Infrastructure Threat Framework (SITF)

StepSecurity detected early supply chain risk signals in a legitimate kilocode npm release, showing how small behavior changes can quietly weaken trust before attacks happen

Get visibility into GitHub Apps, fine-grained PATs, and classic PATs across all your organizations in one dashboard

Security researchers have uncovered a critical sandbox escape vulnerability in vm2, a popular JavaScript sandbox library used to execute untrusted code securely. The vulnerability, tracked as CVE-2026-22709, allows attackers to bypass sandbox protections and execute arbitrary code on the host system. Organizations using vm2 should upgrade to the patched version immediately.

StepSecurity now supports dark mode for a more comfortable security investigation experience. Reduce eye strain and stay focused during long CI/CD analysis sessions

Modern supply chain attacks target developer machines and AI coding agents. Learn how StepSecurity Developer MDM stops credential theft early