Valid certificates, stolen accounts: how attackers broke npm's last trust signal

· Source: VentureBeat · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Software Development & Engineering · Depth: Advanced, medium

Summary

Recent incidents on May 18-19, 2026, exposed critical vulnerabilities in developer tool supply chains and AI coding agents. On May 19, 633 malicious npm package versions bypassed Sigstore provenance verification, leveraging valid signing certificates obtained from compromised maintainer accounts. This allowed attackers to publish packages like those in the Mini Shai-Hulud campaign, which propagated across 502 packages on npm, PyPI, and Composer, totaling 1,055 malicious versions. Concurrently, the Nx Console VS Code extension was compromised on May 18, with version 18.95.0 harvesting sensitive credentials. Research from multiple firms identified seven failed attack surfaces, including npm provenance forgery, VS Code extension credential theft, MCP server auto-execution in AI CLIs (Claude Code, Gemini CLI, Cursor CLI, Copilot CLI), CI/CD agent prompt injection, agent framework code execution (Semantic Kernel), IDE credential storage exposure (Cursor), and shadow AI data exposure, where 67% of employees use non-corporate AI services on corporate devices.

Key takeaway

For security directors evaluating vendor contracts or MLOps engineers securing CI/CD pipelines, recognize that current developer tool verification models are insufficient. You must audit all seven identified attack surfaces, including npm provenance, AI CLI auto-execution, and shadow AI data exposure. Consider any credential accessible from a developer machine or CI runner that installed affected npm packages between 01:39 and 02:18 UTC on May 19 compromised. Implement two-party approval for critical package publishes and disable default auto-trust for AI coding agents to mitigate immediate risks.

Key insights

Automated trust signals in developer tools are broken by credential theft and design flaws, enabling widespread supply chain attacks.

Principles

In practice

Topics

Best for: CTO, VP of Engineering/Data, AI Architect, AI Security Engineer, MLOps Engineer, Director of AI/ML

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by VentureBeat.