ACCORDING to Datadog's State of DevSecOps 2026 report, CI/CD pipelines and GitHub Actions remain prime targets for supply chain attacks, a warning StepSecurity has long sounded. The findings show that 87% of organisations have at least one exploitable vulnerability, affecting 40% of all services, with Java leading at 59%, followed by .NET at 47% and Rust at 40%; 10% of services run on at least one end-of-life version, and those with EOL versions have 50% exploitable vulnerabilities compared with 37% otherwise.
StepSecurity argues its Harden-Runner, NPM Package Compromised Updates, and NPM Package Cooldown along with Threat Center and Artifact Monitor form a layered defence to address these risks, including runtime monitoring and automated checks that block compromised updates. The firm notes that 50% of organisations use libraries within a day of release, exposing themselves to attacks such as Shai-Hulud and s1ngularity, with a further 1.6% of npm users having used a malicious dependency in the past year.
Datadog’s findings, the company says, align with the protection provided by its platform, and StepSecurity invites readers to pin Actions to full SHAs and enable its security checks.