Valid certificates, stolen accounts: how attackers broke npm's last trust signal
Why this matters: a development in AI with implications for how people work, create, and decide.
On May 19, 633 malicious npm package versions passed Sigstore provenance verification. They were cleared by the system because the attacker had generated valid signing certificates from a compromised maintainer account.Sigstore worked exactly as designed: it verified the package was built in a CI environment, confirmed a valid certificate was issued, and recorded everything in the transparency log. What it cannot do is determine whether the person holding the credentials authorized the publish — and that gap turned the last automated trust signal in npm into camouflage.One day earlier, StepSecurity documented an attack on the Nx Console VS Code extension, a widely used developer tool with more than 2.2 million lifetime installs. Version 18.95.0 was published using stolen credentials on May 18 and stayed live for under 40 minutes — but Nx internal telemetry showed approximately 6,000 activations during that window, most through auto-update, compared to just 28 official downloads. The payload harvested Claude Code configuration files, AWS keys, GitHub tokens, npm tokens, 1Password vault contents, and Kubernetes service account tokens.The Mini Shai-Hulud campaign, attributed by multiple researchers to a financially motivated threat actor identified as TeamPCP, hit the npm registry at 01:39 UTC on May 19. Endor Labs detected the initial wave when two dormant packages, jest-canvas-mock and size-sensor, published new versions containing an obfuscated 498KB Bun script — neither had been updated in over three years, making a sudden version with raw GitHub commit hash dependencies a detection signal, but only if the tooling is watching.By 02:06 UTC, the worm had propagated across the @antv data visualization ecosystem and dozens of unscoped packages, including echarts-for-react (~1.1 million weekly downloads). Socket raised the total to 639 compromised versions across 323 unique packages in this wave. Across the full campaign lifecycle, Socket has tracked 1,055 malicious ver