May 19, 2026
SigmaShake Response to npm High-Privilege Token Rotation (Mini Shai-Hulud Precaution)
On May 19, 2026, npm proactively rotated granular access tokens carrying write scope that bypass 2FA on token use, as a precaution against further supply chain attacks in the pattern of the "Mini Shai-Hulud" worm. Within seven minutes of receiving npm's rotation notice, we rotated the affected npm publish credentials held in our Cloudflare Worker secret store and confirmed our publishing automation is operating on the new tokens. We are evaluating npm Trusted Publishing as a follow-on hardening to further reduce reliance on long-lived publish tokens. No customer action is required.
TC-2026-0519-B
ASSESSMENT
May 19, 2026
SOC 2 Type II Q2 Surveillance Pen Test — 17 Findings, Same-Day Remediation (Report v1.2.1)
Completed the Q2 surveillance round of the AI-assisted (Claude Opus 4.7) penetration test across all 27 production services, scoped against OWASP WSTG v4.2, OWASP ASVS v4.0.3 Level 3, and PTES. The round identified 1 Critical (sigmashake-vibe project/preview IDOR — SSG-2026-043), 4 High (workspace inline-editor symlink escape, fleet pg-d1 schema-name interpolation, vibe deploy per-user rate limit, vibe magic-link atomic consume — SSG-2026-044..047), 4 Medium (vibe deploy error opacity, workspace edit body-size cap, affiliates Amazon ASIN allowlist, compliance staff-auth strict typeof guard — SSG-2026-048..051), and 8 Observation/Informational items. Every Critical, High, and Medium finding was code-level remediated and deployed the same day; the four Observation-tier items (download CDN integrity sidecar, ask prompt-injection framing, vcs RPC body schema, streamcord allowed_mentions escape — SSG-2026-052..055) were closed in a follow-on v1.2.1 close-out. Defense-in-depth additions landed alongside: workspace cloud-worker CORS pinned to a sigmashake.com origin allowlist with Vary: Origin; VS Code extension sanitizes sigmashake.workspace.daemonUrl (loopback or sigmashake.com over https only). The Penetration Testing Assessment Report (v1.2.1) and the SOC 2 Type II Readiness Package (v1.1.0) are downloadable under mutual NDA from the document portal above; the static self-evaluation (bun run sigmashake-compliance/scripts/self-evaluate.ts) passes 27/28 with one non-blocking orphan-policy warning. Cumulative posture: zero Critical/High/Medium/Low items outstanding; only Accepted-Risk design trade-offs and affirmative Observations remain. Next AI-assisted surveillance round Q3 2026, alongside an independent annual human-led pentest engagement.
May 13, 2026
GDPR & International Compliance — EU, UK, Switzerland Coverage Layer
Shipped the GDPR control family alongside SOC 2 + ISO 27001: 31 GDPR articles catalogued across Chapters II–V — 25 applicable, with documented applicability rationales for the 6 out-of-scope articles (Art. 8 / 9 / 10 / 22 / 26 / 37); 9 new evidence collectors covering DSRs, the Article 30 Record of Processing Activities, sub-processor freshness, breach-notification SLAs, privacy-notice currency, data-residency attestation, consent register, Transfer Impact Assessments, and the DPIA register; and 11 new policies (privacy policy, customer DPA template, DSR procedure, breach-notification procedure, international-transfer procedure, retention schedule, cookie policy, sub-processor management, DPIA procedure, EU representative analysis, DPO designation, and cryptography policy). Two new public endpoints went live alongside the existing verification API: POST /api/v1/dsr for data-subject-rights intake (rate-limited 5/hr/IP, opaque token in response, status lookup at GET /api/v1/dsr/:token); and GET /api/v1/sub-processors.json for the machine-readable Article 28(2) feed referenced in the customer DPA. UK GDPR + Swiss FADP coverage is inherited via the same control set with IDTA / FADP-adequacy modular addenda available on request. Catalog now covers 167 controls across 3 frameworks (43 SOC 2 + 93 ISO 27001 + 31 GDPR), 68 collectors, 28 policies. Self-evaluation: 27/28 pass with one non-blocking warning.
May 13, 2026
Penetration Test Sweep — Compliance Worker (Claude Opus 4.7)
Targeted code-level pen-test sweep of the sigmashake-compliance worker shipped 3 defense-in-depth hardenings: (1) open-redirect in the staff /compliance/login handler — old check accepted backslash sequences some browsers normalise to //host; now rejects backslashes, length-caps the next-URL, re-parses with the URL constructor, and verifies host equality before redirecting. (2) Input shape validation on POST /api/v1/verify — now enforces lowercase-hex regex for content_hash (SHA-256, 64 chars), signature (Ed25519, 128 chars), and a strict kid charset before reaching crypto.subtle. (3) Public sub-processor feed minimisation — stripped notes_md from GET /api/v1/sub-processors.json (could leak vendor SDK versions or internal DPA refs); public feed is now id/name/url/category/data_access only. Reviewed clean: all D1 queries parameterized, staff routes gated by CIDR-allowlist → auth → same-origin → CSP+nonce, Discord webhook host-allowlist, HMAC nonce+TS replay cache, Object Lock 90d on R2.
Apr 30, 2026
Compliance Automation Worker GA & Day-0 Gate Approaching
The sigmashake-compliance Worker is now live at compliance.sigmashake.com, executing 44+ automated evidence collectors on a daily / weekly / monthly / quarterly cadence. Every output is canonicalized, hashed, and Ed25519-signed; daily content_hashes are Merkle-chained into a signed root that is cross-anchored into the public sigmashake-hub transparency log. A native Cloudflare D1 immutable backup pipeline writes hashed weekly snapshots to a dedicated R2 bucket protected by a 90-day non-bypassable Object Lock rule. Customers can verify any signed artefact against the public key at /.well-known/compliance-pubkey or via POST /api/v1/verify. The 6-month SOC 2 Type 2 observation window opens 2026-05-18 and closes 2026-11-17, with a SOC 2-aligned self-assessment publication targeted for 2026-12-31.
Apr 26, 2026
Self-Hosted Identity Provider Replaces Okta Tenant
SigmaShake's internal SSO has been cut over from a hosted Okta tenant to a self-hosted OIDC + SAML 2.0 IdP at sso.sigmashake.com. The new IdP supports OIDC authorization-code + PKCE, refresh-token rotation, RFC 7591 dynamic client registration, RFC 7662 introspection, RFC 7009 revocation, and back-channel logout. SAML 2.0 includes exclusive XML canonicalization, Single Logout, and quarterly signing-key rotation. MFA enrollment is via WebAuthn or TOTP with HIBP breach checks on password set; signing-key age is tracked by a weekly evidence collector. AI-agent self-enrollment uses the OAuth Device Code flow (RFC 8628) on the fleet side. The Okta token-endpoint fallback has been removed from the OIDC callback path.
Apr 22, 2026
SOC 2 Type 1 Self-Eval Complete — Day-0 Design Gap Closed
Every TSC control now has at least one wired-in evidence collector, every collector is bound to a cron batch, and every policy referenced by the controls catalog exists with auditor-credible content (no stub policies remain). The latest expansion added 9 collectors (training-completions, attestation-log, pen-test-report, quality-information-snapshot, internal-communication, control-matrix-snapshot, physical-access-inheritance, asset-disposal-attestation, r2-object-lock-verify), 4 new policies (code-of-conduct, external-communications, processing-integrity, system-description per AICPA TSP §300), and expanded 7 stub policies into full auditor-credible documents. A self-evaluation harness now runs at test, CLI, and runtime (bun run self-eval + GET /compliance/api/self-evaluation) and gates pre-commit. 11/11 static checks pass; 62/62 tests pass.
Apr 18, 2026
Penetration Testing Assessment Published & Document Portal Overhaul
A full SOC 2 Type II penetration testing assessment report is now available to prospective enterprise customers under NDA. The assessment was performed by Claude Opus 4.7 (Anthropic) as an AI-assisted code-level security review aligned with OWASP WSTG v4.2, OWASP ASVS v4.0.3 Level 3, and PTES. The engagement identified 4 Critical and 12 High-severity findings across 12 services and the compiled CLI — every one remediated and verified closed the same day. We also replaced the broken "Request access" placeholders on this page with a real NDA + OTP flow, so every NDA-gated document — Controls Evidence, Penetration Test, SOC 2 Readiness, and the full bundle — is downloadable after signing the mutual NDA. The Security Whitepaper is now a public download; no NDA required.
Apr 16, 2026
SIEM Log Forwarding GA & Trust Center Content Refresh
Fleet-side SIEM log forwarding is now generally available: dual-mode stream-and-archive pipeline with Splunk HEC, Cribl HTTP-in, Confluent Cloud Kafka REST, and generic HMAC-signed webhook sinks, plus an offline queue with replay-on-reconnect. Added as a shipped item on the Security Roadmap. We also completed a content-consistency pass across trust.sigmashake.com and security.sigmashake.com — unified responsible-disclosure SLAs (48h ack, 5-day triage, 30/90-day remediation) across every surface and reconciled the published rule count for the TypeScript ruleset (11 rules).
Apr 14, 2026
Compliance Certifications Status Update
Updated compliance certification statuses to reflect our current standing as of April 2026. GDPR and CCPA are now marked as Self-Assessed Compliant, backed by implemented controls: opt-in telemetry, account deletion cascade, subprocessor transparency, DPA availability, and per-org data residency. HIPAA and PCI DSS are marked Not Applicable — SigmaShake does not process PHI (we're a governance tool, not a health data processor) and all cardholder data is handled exclusively by Stripe (PCI-DSS Level 1). ISO/IEC 27001 is on the roadmap following SOC 2 Type II completion. Icons have been modernized with distinct, certification-specific designs and compliance status indicators.
Apr 12, 2026
Business Continuity & Procurement Transparency
We have added a new Business Continuity section to the Trust Center and Controls Evidence Report addressing the top procurement concerns for self-hosted or single-operator vendors: offline-first enforcement (no cloud dependency for the CLI), source availability clause on vendor wind-down, key escrow plan, and SOC 2 Type II timeline. The landing page now includes an Honest Answers section responding directly to common technical objections.
Apr 12, 2026
Enterprise Security Controls — April 2026 Update
We have shipped and documented a significant set of enterprise security controls: Ed25519 bundle signing, Merkle-chain audit log, SAML/OIDC SSO with interactive provider selector, custom RBAC roles, org IP/CIDR allowlist, service accounts, per-org D1 data residency, tenant isolation guard (WS-21/22), P-256 license key rotation with JWKS endpoint, and a disk-backed fail-open audit queue. All 42 findings from four independent audit rounds (fleet, CLI, MCP, QA) have been closed. The Controls Evidence Report has been updated to reflect these implementations.
Apr 6, 2026
SigmaShake Response to the Axios npm Supply Chain Compromise
SigmaShake Cloud is not impacted by the recently disclosed supply chain attack against the Axios npm package (axios@1.14.1 and axios@0.30.4), in which a compromised maintainer account was used to publish backdoored versions containing a cross-platform remote access trojan (RAT). No action is required by our customers.
Sep 2, 2025
SigmaShake Response to React (CVE-2025-55182) and Next.js (CVE-2025-66478) Vulnerabilities
We have actively patched all our internal services to address the disclosed vulnerabilities in React and Next.js. No customer data was exposed.
Aug 18, 2025
SigmaShake Response to Shai-Hulud 2.0 Supply Chain Attacks
SigmaShake infrastructure and software supply chains were fully audited and verified to not be affected by the Shai-Hulud 2.0 incidents.
No bulletins match that filter.