How attackers exploited npm’s trusted publishing system with fake certificates

On May 19, a coordinated supply-chain attack turned npm’s provenance verification—the final automated trust signal—into a Trojan horse. Researchers discovered 633 malicious package versions in the npm registry that passed Sigstore’s integrity checks because the attacker had obtained valid signing certificates from a compromised maintainer account.

Sigstore functioned as intended: it confirmed the packages were built in a CI environment, verified the certificate’s validity, and logged the transaction in a transparent audit trail. What it could not—and cannot—verify was whether the person controlling those credentials had authorized the publish. This blind spot turned the last automated safeguard into camouflage for malicious code.

Stolen credentials fuel a 48-hour wave of attacks

Just one day before the npm incident, security firm StepSecurity revealed a separate attack targeting the popular Nx Console VS Code extension. On May 18, attackers published version 18.95.0 using stolen credentials, leaving the malicious version online for less than 40 minutes. Despite its brief exposure, internal telemetry showed nearly 6,000 activations during that window—mostly through auto-updates—compared to only 28 official downloads. The payload extracted sensitive data including AWS keys, GitHub tokens, npm tokens, 1Password vault contents, and Kubernetes service account tokens.

Then, at 01:39 UTC on May 19, the "Mini Shai-Hulud" campaign launched. Named after the sandworm from Frank Herbert’s Dune, this attack was attributed to TeamPCP, a financially motivated threat actor. The initial wave targeted dormant packages like jest-canvas-mock and size-sensor, which had not been updated in over three years. Their sudden activity—publishing versions with raw GitHub commit hash dependencies—was a red flag, but only detectable to tools actively monitoring for such anomalies.

By 02:06 UTC, the attack had spread across the @antv data visualization ecosystem and dozens of unscoped packages, including echarts-for-react, which sees roughly 1.1 million weekly downloads. Socket Security later identified 639 compromised versions across 323 unique packages in this single wave. When tracking the full campaign, Socket found 1,055 malicious versions across 502 packages spanning npm, PyPI, and Composer.

How valid certificates masked malicious code

Notably, the attacker embedded full Sigstore integration in the payload. This allowed them to publish downstream npm packages that carried valid provenance attestations—essentially tricking the system into treating malicious code as trustworthy. The attack chain relied on a sequence of failures:

• Compromised maintainer accounts provided legitimate signing certificates.
• The CI/CD pipeline executed builds without human oversight.
• Sigstore verified the build provenance without questioning the author’s intent.
• Downstream packages inherited the false legitimacy through dependency chains.

This incident underscored a critical gap in trust models: automated verification systems cannot distinguish between authorized and unauthorized actions when credentials are stolen.

Four major AI coding tools share the same fundamental flaw

Security researchers across multiple teams have demonstrated that the developer tool verification model is fundamentally broken. Adversa AI’s “TrustFall” flaw, disclosed on May 7, exposed a critical vulnerability in four leading AI coding agents: Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. All rely on a default “Yes” or “Trust” response to folder prompts, enabling auto-execution of project-defined MCP servers the moment a developer accepts a trust prompt.

Once triggered, the MCP server operates with the developer’s full privileges, capable of reading stored secrets and source code from other projects. In CI environments using Claude Code’s GitHub Action in headless mode, no human interaction is required—the attack executes silently.

Johns Hopkins University researchers Aonan Guan, Zhengyu Liu, and Gavin Zhong further illustrated this risk in their paper “Comment and Control.” They showed that a malicious instruction embedded in a GitHub pull request title could coerce Claude Code Security Review to expose its own API key as a comment. The same technique worked on Google’s Gemini CLI Action and GitHub’s Copilot Agent. Anthropic rated this vulnerability CVSS 9.4 Critical through its HackerOne program.

Microsoft’s MSRC separately disclosed two critical vulnerabilities in Semantic Kernel on May 7. One allowed attacker-controlled vector store fields to trigger a Python eval() execution, while the other exposed a host-side file download method as a callable kernel function—meaning a single poisoned document could launch a process on the host system.

LayerX security researchers also demonstrated that Cursor stores API keys and session tokens in unprotected browser storage, allowing any browser extension to access developer credentials without elevated permissions.

The human factor: shadow AI and credential theft

The rising threat is compounded by the growth of shadow AI—employees using non-corporate accounts on corporate devices to access AI services. According to the Verizon 2026 Data Breach Investigations Report, released May 19, 67% of employees engage in this behavior. Shadow AI ranks as the third most common non-malicious insider action in data loss prevention datasets, with source code being the most frequently submitted data type to unauthorized platforms.

This behavior creates new attack surfaces. Stolen credentials from personal accounts can be reused to compromise corporate systems, while AI agents inadvertently expose sensitive data through prompts or integrations. The result is a feedback loop: attackers harvest credentials, exploit automation gaps, and scale attacks across ecosystems.

The npm and VS Code extension incidents were not isolated failures. They are symptoms of a broader crisis in developer tool security—one where automation and trust models outpace the ability to verify intent. Until the industry addresses the human and technical gaps in this chain, supply-chain attacks will continue to exploit the last remaining trust signals as entry points.

Looking ahead, the challenge will be designing verification systems that account for compromised credentials and unauthorized actions—not just technical validity. Without this shift, even the most robust provenance systems will remain vulnerable to exploitation.