How attackers exploited npm’s trusted publishing system with fake certificates
Attackers bypassed npm’s last line of trust by abusing Sigstore provenance verification, turning valid certificates into weapons. Learn how stolen credentials and CI/CD flaws enabled a rapid supply-chain attack.