Step Security Blog
The latest from StepSecurity — practical guidance, product updates, and threat insights to help secure your CI/CD pipelines and stay ahead of supply chain attacks
A forged commit. A workflow file disguised as a routine CI optimization. Within 6 hours, 5,561 GitHub repositories were backdoored. Cloud credentials harvested. SSH keys stolen. OIDC tokens minted and exfiltrated before any runner finished. The attacker n