A CLI tool that maps which CI secrets were exposed during an npm supply chain attack window and outputs a prioritized rotation checklist

The Miasma worm (June 1, 2026) compromised 32 Red Hat npm packages, executing a credential-harvesting payload on every npm install that ran against the affected versions, stealing GitHub tokens, cloud credentials, and CI OIDC tokens. The same Phantom Gyp technique (using binding.gyp to trigger node-gyp install hooks) was also used in the earlier Shai Hulud campaign. When a package in your dep tree is flagged as compromised, the immediate question is: which secrets were exposed? CI systems have dozens of environment variables and mounted secrets; not all are present in every job. No tool today answers the question by walking your workflow graph and identifying which jobs ran npm install after the compromise window, which secrets those jobs had access to, and outputting a prioritized rotation checklist. Teams are doing this manually from logs.

Product Idea from this Signal

A CLI tool that ingests CI run logs after a supply-chain compromise and produces a per-secret rotation impact map across repos and providers

1.4k ▲

After a CI supply-chain attack (a compromised action, a poisoned npm package injected into build steps, a malicious runner), the first responder question is always the same: which secrets did each affected run actually touch, and which therefore need to be rotated right now? No tool answers this. GitGuardian detects secrets in code. StepSecurity hardens runners before the attack. Nobody ships a post-incident forensic tool that ingests raw CI run logs from GitHub Actions, GitLab CI, CircleCI, and Buildkite, correlates them against the secret references in each workflow definition, and outputs a prioritized per-secret rotation checklist with blast-radius metadata (which runs, which repos, which environments, which secret managers). This CLI fills that gap. Engineers specify a date range and a list of affected action hashes or package versions; the tool cross-references every run log, resolves secret names to their vault origin (GitHub Secrets, AWS SSM, Doppler, Vault), and emits a JSON and Markdown report that tells the incident commander exactly what to rotate, in what order, with evidence.

devopssecurityci-cdsupply-chainsecret-managementincident-responsecli

Competitive313 leadsView Opportunity →

Score Breakdown

1,390

Social Proof 2 sources

Malicious npm packages detected across Red Hat Cloud Services

6/1/2026

1,228 HN

OpenAI's response to the Axios developer tool compromise

4/22/2026

162

Gap Assessment

UnderservedExisting solutions leave gaps

StepSecurity HARDEN-RUNNER monitors CI steps for anomalous network access and is the closest competitor, but it is a prevention tool, not a post-compromise impact mapper. Wiz and OX Security published forensic blog posts on Miasma but offer no automated triage. Neither Snyk nor Socket.dev maps workflow execution to secret exposure windows. The gap is an incident-response triage tool that given a package name and compromise date range, walks your GitHub Actions workflow graph to identify which secrets to rotate first.

Virality Score

1,390

across 0 platforms

Details

Signalissue

Ecosystemdev_tool_cli

Sources2

Platforms0

Updatedunknown

Trend→ stable

Top ideas

All ideas →

0A CLI tool that runs a project's workloads across two Bun versions and reports behavioral and performance regressions before a version bump ships 0A CLI tool that ingests CI run logs after a supply-chain compromise and produces a per-secret rotation impact map across repos and providers 0A CLI tool that scans a project dependency tree for npm v12 breaking-change exposure and outputs a prioritized migration plan

Related signals

All signals →

3.1KClaude Code entire source code leaked via npm missing .npmignore — 2095 HN points 2.4KOpenClaw v2026.3.22 Breaks Dashboard UI and WhatsApp for npm Users 2.3Knpm Supply Chain Attacks Targeting MCP Packages: Backdoored MCP Servers Exfiltrate Secrets at Scale