EQS Trust Center

Popular projects from Zapier, ENS Domains, PostHog, and Postman were temporarily "trojanized" by threat actors, leading to GitHub repos populated with stolen victim data. Some of these packages are highly prevalent with several developers.

Newly compromised packages continue to surface. The number of identified compromised packages is steadily growing, currently at circa 700. The blast radius is already massive – 25,000+ malicious repos across circa 500 GitHub users. For more technical information, kindly see this post from Wiz: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack

What has EQS done?

First, EQS does not use GitHub directly. EQS hosts its source code on private, internal repositories. Packages borrowed from public repositories are tightly scanned with multiple tools and vetted before inclusion and use.

To identify this potential threat, EQS has built a dedicated scanner which tries to identify known compromised packages and inspect dependencies against them. The scanner also parses all installation actions from packages, since exploitation happens during the installation. EQS has simulated how installation scripts work to identify signs of malicious traffic and exploitation.

Furthermore, potential secret exposures coming from the CI/CD pipeline has been assessed. All variables in the CI/CD pipelines has been inspected to detect cloud credentials, Kubernetes registry credentials, SSH keys, and so on.

Finally, we have used our CNAPP tool to scan for the presence of vulnerable packages directly on our hosting environments (both QA and production).

Results

EQS has detected no signs of compromise or vulnerability to this attack.

For further information, don't hesitate to contact infosec@eqs.com.

To reiterate its commitment to robust security practices and transparent assurance measures, EQS Group has successfully completed two SOC 2 Type II examinations for its compliance solutions. The examinations were performed in accordance with the attestation standards established by the American Institute of Certified Public Accountants (AICPA) and ISAE 3000, an international standard for assurance engagements issued by the International Auditing and Assurance Standards Board (IAASB).

EQS Group provides these SOC 2 Type II reports to support customers who must demonstrate strong due-diligence and supplier-assurance practices when working with cloud-based compliance tools that process sensitive information.

The System and Organization Controls (SOC) standards are attestation standards designed to assess the effectiveness of internal controls that support secure, reliable, and confidential processing of data. The SOC 2 examinations were performed by an independent, licensed CPA firm (Schellman), based on the applicable AICPA Trust Services Criteria, which outline core principles across security, availability, and confidentiality.

The examinations covered two EQS Group platforms over different review durations: five months for the EQS Compliance COCKPIT and twelve months for the Convercent platform. Both examinations included evidence provision and a three-day onsite assessment with extensive interviews at EQS Group headquarters in Munich.

Completing the SOC 2 Type II examinations for both platforms reinforces EQS Group’s commitment to operating services with clearly defined, tested, and continuously improved controls and to providing transparent assurance materials that support customer trust and informed decision-making.

To reach the SOC 2 reports, head to https://trust.eqs.com/product/EQS+Group/soc-2-type-2 (accessible to customers with a valid NDA).

For further questions, please contact infosec@eqs.com.
 

The EQS team

In May, EQS Group completed its ISO/IEC 27001/27017/27018 re-certification. After two successful onsite audits in Denver, Colorado, U.S.A., in September and Neuilly-sur-Seine (Paris), France, in October, EQS Group is delighted to announce that both locations are now part of the certification scope and listed in the certificate.

EQS Group maintains strict security measures as part of its Information Security Management System at all of its offices worldwide. By adding these two major offices to the certification scope and therefore subjecting them to regular external surveillance audits, EQS Group further enhances transparency and strengthens trust with customers internationally, reinforcing its pledge to secure and reliable handling of sensitive data for its 14,000+ customers.

Interested parties can reach the ISO/IEC certificate in English and German at this URL: https://trust.eqs.com/product/EQS+Group/iso27001

We are excited to inform you that the new ISAE 3000 Type II audit reports for our News & Disclosure services in IR COCKPIT and EQS as a Primary Information Provider (PIP) are available.

This year, two reports have been published:

• The annual audit for “Compliance of EQS Group AG with the Continuing Obligations in DTR 8.4—Assurance Report in Accordance with ISAE 3000” covering the UK Financial Conduct Authority (FCA) requirements—the 2025 FCA PIP Audit Report—as well as the
• biennial (i.e., every 2nd year) “Independent Auditor's Report Concerning the Compliance of EQS Group AG as a Primary Information Provider by the Autorité des Marchés Financiers (AMF)”—the 2025 AMF PIP Audit Report.

Both audits covered the period August 1st 2024 to July 31st 2025 and were performed by BDO Switzerland.

Both audit reports can be found in the EQS Trust Center under IR COCKPIT at this URL: https://trust.eqs.com/product/ir-cockpit/isae-3000

Customers and prospects with the proper access (e.g., a signed confidentiality agreement and access to IR COCKPIT) can download the reports directly from there.

Please don't hesitate to contact us in case you have any questions regarding the above or any other audits.

EQS Group is pleased to announce the renewal of its EcoVadis Silver certification.

In the internationally recognized EcoVadis assessment, EQS Group achieved a score of 74 out of a possible 100 points (+2 points compared to 2024). This score places it in comparison with other companies; EQS Group ranks at the 91st percentile, which means its score is higher than or equal to the score of 91 percent of all companies rated by EcoVadis.

According to EcoVadis, EQS Group has a structured and proactive sustainability approach, policies, and tangible actions on major sustainability issues with detailed implementation, as well as significant sustainability reporting on actions and Key Performance Indicators.

For these results, EQS Group has been awarded a silver medal in this rating.

While the results are publicly available, an enabled EQS Trust Center account is required to download the full EcoVadis scorecard, which can be accessed from here: https://trust.eqs.com/product/EQS+Group/ecovadis-2025-silver