A case study on detecting npm supply chain attacks through runtime monitoring and baseline anomaly detection

Thanks! I had also posted on HN 9 hours before this submission: https://news.ycombinator.com/item?id=45035115 Would be great if HN admins can update the link for this story

Nx package on npm hijacked to steal cryptocurrency wallets, GitHub/npm tokens, SSH keys, and environment secrets through sophisticated exfiltration attack

How an AWS release rollback triggered the same red flags as a supply chain attack and why treating every semantic version tag change as suspicious is key to protecting your CI/CD pipelines

Popular Python Package num2words v0.5.15 Published Without Repository Tag, Linked to Known Threat Actor

I’m Varun, CEO & Co-Founder of StepSecurity. StepSecurity detected and reported the tj-actions/changed-files compromise and has been actively helping the community recover from this incident.

To support you in understanding what happened and recovering swiftly, we’re hosting an Office Hour:

Date: March 17, 2025 Time: 10:00 AM Pacific Time (PT) Add to your calendar: https://www.addevent.com/event/Tf25207322

You can rename office hour to sales pitch

They were only printed to stdout and not sent out

Great points! Harden-Runner (https://github.com/step-security/harden-runner) is similar to Firejail and OpenSnitch but purpose-built for CI/CD context. Harden-Runner detected this compromise due to an anomalous outbound network request to gist.githubusercontent.com.

Interestingly, Firejail itself uses Harden-Runner in its GitHub Actions workflows! https://github.com/search?q=repo%3Anetblue30%2Ffirejail%20ha...

Yes, just prints to the build log, so the risk is higher for public repos. Lot of public repos have creds printed in their build logs due to this compromised action.