On May 19, 633 malicious npm package versions passed Sigstore provenance verification. The system cleared them because the attacker had generated valid signing certificates from a compromised maintainer account. Sigstore worked exactly as designed: it verified the package was built in a CI environment, confirmed a valid certificate was issued, and recorded everything in the transparency log.
What it cannot do is determine whether the person holding the credentials authorized the publish — and that gap turned the last automated trust signal in npm into camouflage.
The Attack Sequence
The attack began on May 18 when an attacker stole credentials from a developer and used them to publish version 18.95.0 of the Nx Console VS Code extension, a widely used tool with over 2.2 million lifetime installs. The malicious version stayed live for under 40 minutes, but Nx internal telemetry showed approximately 6,000 activations during that window — most through auto-update — compared to just 28 official downloads. The payload harvested Claude Code configuration files, AWS keys, GitHub tokens, npm tokens, 1Password vault contents, and Kubernetes service account tokens.
The next wave, dubbed “Mini Shai-Hulud” by researchers, hit the npm registry at 01:39 UTC on May 19. Endor Labs detected the initial wave when two dormant packages — jest-canvas-mock and size-sensor — published new versions containing an obfuscated 498KB Bun script. Neither had been updated in over three years, making a sudden version with raw GitHub commit hash dependencies a detection signal, but only if tooling is watching.
By 02:06 UTC, the worm had propagated across the @antv data visualization ecosystem and dozens of unscoped packages, including echarts-for-react with ~1.1 million weekly downloads. Socket raised the total to 639 compromised versions across 323 unique packages in this wave. Across the full campaign lifecycle, Socket has tracked 1,055 malicious versions across 502 packages spanning npm, PyPI, and Composer.
How Sigstore Fails
Sigstore is designed to verify that a package was built in a CI environment and that a certificate was issued. It cannot verify whether the identity holder authorized the action. In this attack, the stolen credentials allowed the attacker to sign packages with valid provenance attestations. StepSecurity confirmed the payload contained full Sigstore integration. The attacker didn’t just steal credentials; they could sign and publish downstream npm packages that carried valid attestations.
The MCP Server Threat
Adversa AI disclosed TrustFall on May 7, demonstrating that all four major AI coding CLIs — Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI — auto-execute project-defined MCP servers the moment a developer accepts a folder trust prompt. All four default to “Yes” or “Trust.” One keypress spawns an unsandboxed process with the developer’s full privileges. On CI runners using Claude Code’s GitHub Action in headless mode, the trust dialog never renders, so the attack executes with zero human interaction.
Additional Vulnerabilities
Johns Hopkins researchers published “Comment and Control,” proving that a malicious instruction in a GitHub pull request title caused Claude Code
Security Review to post its own API key as a comment. The same attack worked on
Google’s Gemini CLI Action and GitHub’s Copilot Agent. Anthropic rated the vulnerability CVSS 9.4 Critical.
Microsoft MSRC disclosed two critical Semantic Kernel vulnerabilities on May 7. One routes attacker-controlled vector store fields into a Python eval() call; the other exposes a host-side file download method as a callable kernel function — meaning one poisoned document in a vector store launches a process on the host.
LayerX security researchers separately demonstrated that Cursor stores API keys and session tokens in unprotected storage, meaning any browser extension can access developer credentials without elevated permissions.
The Verizon 2026 Data Breach Investigations Report found that 67% of employees access AI services from non-corporate accounts on corporate devices. Source code leads all data types submitted to unauthorized AI platforms — the same asset class the npm worm campaign targeted. The CrowdStrike 2026 Financial Services Threat Landscape Report documents adversaries actively hunting the credential types these attacks harvest.
What Security Directors Should Do
Security directors should run this grid against current vendor contracts before Q2 renewals close: ask each vendor which of the seven attack surfaces their product covers. Any credential accessible from a developer machine or CI runner that installed affected npm packages between 01:39 and 02:18 UTC on May 19 should be considered compromised. That includes GitHub PATs, npm tokens, AWS access keys, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, and 1Password vault contents.
AI coding agent integrations running in CI/CD pipelines with pull_request_target workflows deserve scrutiny — each one is a prompt injection surface. Procurement teams should add a stolen-identity resistance dimension to vendor assessments. The question: can the vendor demonstrate how their tool distinguishes a legitimate maintainer publish from an attacker using compromised credentials? If they cannot, the tool is not a verification layer.
The developer tool supply chain has the same problem IAM had a decade ago: credentials prove who you claim to be, not who you are. IAM got a 10-year head start on compensating controls before nation-state groups turned credential theft into an industrial operation. The AI coding tool ecosystem is starting that clock now.
Post Comment