Valid certificates, stolen accounts: how attackers broke npm's last trust signal
Summary
Recent incidents on May 18-19, 2026, exposed critical vulnerabilities in developer tool supply chains and AI coding agents. On May 19, 633 malicious npm package versions bypassed Sigstore provenance verification, leveraging valid signing certificates obtained from compromised maintainer accounts. This allowed attackers to publish packages like those in the Mini Shai-Hulud campaign, which propagated across 502 packages on npm, PyPI, and Composer, totaling 1,055 malicious versions. Concurrently, the Nx Console VS Code extension was compromised on May 18, with version 18.95.0 harvesting sensitive credentials. Research from multiple firms identified seven failed attack surfaces, including npm provenance forgery, VS Code extension credential theft, MCP server auto-execution in AI CLIs (Claude Code, Gemini CLI, Cursor CLI, Copilot CLI), CI/CD agent prompt injection, agent framework code execution (Semantic Kernel), IDE credential storage exposure (Cursor), and shadow AI data exposure, where 67% of employees use non-corporate AI services on corporate devices.
Key takeaway
For security directors evaluating vendor contracts or MLOps engineers securing CI/CD pipelines, recognize that current developer tool verification models are insufficient. You must audit all seven identified attack surfaces, including npm provenance, AI CLI auto-execution, and shadow AI data exposure. Consider any credential accessible from a developer machine or CI runner that installed affected npm packages between 01:39 and 02:18 UTC on May 19 compromised. Implement two-party approval for critical package publishes and disable default auto-trust for AI coding agents to mitigate immediate risks.
Key insights
Automated trust signals in developer tools are broken by credential theft and design flaws, enabling widespread supply chain attacks.
Principles
- Sigstore verifies provenance, not publish authorization.
- Default trust prompts enable auto-execution exploits.
- Credential theft bypasses automated trust signals.
In practice
- Require two-party approval for high-download npm packages.
- Disable auto-approval for MCP servers in AI CLIs.
- Update Semantic Kernel SDKs to versions 1.39.4 and 1.71.0.
Topics
- npm Supply Chain Security
- Sigstore Verification
- AI Coding Agents
- Credential Theft
- CI/CD Security
- Shadow AI
Best for: CTO, VP of Engineering/Data, AI Architect, AI Security Engineer, MLOps Engineer, Director of AI/ML
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by VentureBeat.