Ashish Kurmi
Ashish Kurmi is the CTO and co-founder of StepSecurity, a cybersecurity startup securing CI/CD pipelines against supply chain attacks. Before StepSecurity, he was with Microsoft Corporation, Uber Technologies, and Plaid Inc. in security leadership roles. He primarily worked with software developers at these companies to understand their security pain points and built security systems to remediate security issues at scale. He has 15 years of experience in security and software engineering.
Ashish has previously spoken at several conferences such as BlackHat USA, (ISC)2 Security Congress, and Open Source 101.
Session
In March 2025, the tj-actions/changed-files GitHub Action, which is used by 24,000 repositories, was weaponized to steal CI/CD secrets. All 361 version tags were pointed to malicious code that dumped credentials from memory directly into build logs. We were the first responders.
Come hear the untold story of the 72-hour incident response. You'll learn how we detected an attack that traditional tools missed, built an IOC scanner over a weekend while the attack was live, and coordinated disclosure with dozens of organizations.
You'll walk away with:
- A tested incident response playbook you can adapt for your organization
- Open-source tools: harden-runner (behavioral monitoring) and ghscan (IOC scanning)
- Practical defenses for resilience against similar attacks