The npm Provenance Check Passed. That Was the Problem.
Sigstore was supposed to make npm safe. A developer signs a package in CI, Sigstore records the signature, and users can verify the package came from a real pipeline (not an attacker). The system worked exactly as designed. The problem is that design: Sigstore verifies a signature. It does not verify that the person holding the signing key was authorized to use it.
That gap is the core of the Mini Shai-Hulud supply chain campaign, which dropped 1,055 malicious package versions across npm, PyPI, and Composer between May 18 and May 19, including 639 compromised npm versions across 323 unique packages in the AntV ecosystem alone (Socket). Security firm Endor Labs found that 633 of those 639 malicious npm package versions passed Sigstore provenance verification. They were cleared by the system because the attacker had generated valid signing certificates from a compromised maintainer account (Endor Labs). The cryptographic chain held. The identity at the other end of it did not.
This is not a bug in Sigstore. Sigstore's design is sound. It is a transparency log for artifacts, not a permission system for publishing. But the security community has been treating provenance verification as a trust signal for package integrity, and those two things are not the same. A package with a valid Sigstore signature can still be published by an attacker who stole the maintainer's OIDC token. The signature proves origin. It does not prove authorization.
The campaign's delivery mechanism for the VS Code extension attack was a dangling orphan commit planted in the nrwl/nx GitHub repository, security firm StepSecurity found (StepSecurity). The commit appeared to be a legitimate contributor commit and evaded code review. The malicious Nx Console VS Code extension, version 18.95.0, was published using stolen credentials on May 18 and stayed live for under 40 minutes. During that window, Nx internal telemetry showed approximately 6,000 activations through auto-update, against just 28 official downloads. Automated update propagation moved roughly 214 times faster than human-driven downloads.
GitHub confirmed on May 21 that the Nx Console compromise led to a breach of internal repositories (The Hacker News). An employee device running the malicious extension was used to clone private repositories, which were then offered for sale on a criminal forum. The number of repos involved has been reported at approximately 3,800. GitHub has not published a full IOC list.
The credential harvesting did not stop at GitHub. StepSecurity's analysis of the Nx Console payload found it targeted Claude Code configuration files, AWS keys, GitHub tokens, npm tokens, 1Password vault contents, and Kubernetes service account tokens. A developer running an AI coding assistant while also managing cloud infrastructure has credentials scattered across a dozen systems. The Nx Console attack was designed to collect all of them in one drop.
CrowdStrike has documented STARDUST CHOLLIMA, a Lazarus Group-aligned threat actor, tripling its operational tempo against financial entities in Q4 2025 using AI-generated recruiter personas on LinkedIn and Telegram, fake technical assessments, and synthetic video calls to harvest the initial credentials: GitHub personal access tokens, npm publishing tokens, AWS keys, and CI/CD secrets (CrowdStrike). Security firms including StepSecurity, Endor Labs, The Hacker News, Snyk, Palo Alto Unit 42, and the Cloud Security Alliance independently attribute the Mini Shai-Hulud campaign targeting the npm, PyPI, and Composer registries to TeamPCP, a financially motivated threat actor. The AI developer toolchain was not an incidental target. It was the objective.
The intersection with AI coding assistants compounds the exposure. A disclosure from security firm Adversa AI showed that Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI all auto-execute project MCP servers when a developer accepts a folder trust prompt (Adversa AI). Anthropic reviewed the TrustFall finding and declined to classify it as a security vulnerability, stating that accepting a folder constitutes consent to the full project configuration. In CI, the trust dialog never renders, making the same attack zero-click. The attack path is distinct from the npm provenance bypass, but the target population is identical: developers with elevated cloud access who have been given tools that execute code from untrusted sources.
The Verizon 2026 DBIR found that 67 percent of employees now access AI services from non-corporate accounts on corporate devices, and that shadow AI is the third most common non-malicious insider action in DLP datasets (Verizon DBIR). Source code is the leading data type submitted to unauthorized AI platforms. The attack surface is not hypothetical. The pipeline from developer machine to credential store to CI/CD pipeline to published package to end-user machine is already wired, already automated, and already targeted.
Socket detected the 639 compromised npm versions within 6 to 12 minutes of publication, with a median detection time of approximately 6.7 minutes. The ecosystem can find these attacks quickly once they are published. The problem is the window between credential theft and package publication, where the attacker holds a valid signing key and a trusted identity. Provenance logs document that window. They do not close it.
The fix practitioners are already discussing is not a new cryptographic primitive. It is compartmentalization: limiting which credentials can sign which packages, monitoring for anomalous publishing patterns, rotating OIDC tokens aggressively, and treating developer machines as high-value security perimeters rather than endpoints. Sigstore is not the problem. Treating provenance as a substitute for authorization is.