The npm supply chain attack Sigstore bypass isn’t theoretical anymore—it’s active, it’s successful, and it’s happening right now. On May 19, 2026, 633 malicious npm package versions passed Sigstore provenance verification. Every single one carried a valid certificate. Every one was cleared by the system designed to stop exactly this kind of attack.
What 633 malicious packages reveal
This wasn’t a marginal case or a narrow edge in the verification logic. The attack surface here is the entire premise of automated trust signals for open-source packages. Sigstore worked exactly as architected—it verified the package was built in a CI environment, confirmed a valid certificate was issued via OIDC, and recorded everything in the transparency log. What it cannot do is determine whether the person holding the credentials actually authorized the publish.
The implications are stark: if you manage dependencies in your project and rely on provenance attestation as a trust signal, you need to understand that green checkmark means “valid certificate exists” rather than “this package is safe.” That’s a fundamental distinction that changed overnight.
How Attackers Broke the Trust Model
The mechanical failure here is straightforward but devastating. Sigstore verify evaluates certificate validity—it doesn’t authenticate identity authorization. When an attacker compromises a maintainer account and extracts OIDC tokens, they gain the ability to generate valid signing certificates that flow through the entire verification pipeline without triggering any alerts.
Stolen credentials meet valid certificates
The attack path traces through three critical stages. First, the attacker compromises a maintainer account—this gives them access to the npm publishing credentials. Second, those credentials yield valid OIDC tokens that can request signing certificates from Sigstore’s Fulско service. Third, the malicious package gets signed with a legitimate certificate and publishes with full provenance attestation.
From the perspective of any automated scanner or security tool checking package integrity, the output is indistinguishable from a legitimate publish. The certificate is real. The build trail is real. The transparency log entry is permanent. The only thing that’s fake is the authorization—and that’s exactly what the system was never designed to verify.
The Seven Attack Surfaces That Failed
These 633 packages didn’t emerge in isolation. Within 48 hours between May 18 and May 19, seven distinct attack surfaces failed simultaneously—each representing a different vector the npm supply chain attack Sigstore bypass exploits. This wasn’t bad luck or a single point of failure. It was a systemic breakdown across the entire developer toolchain.
From npm provenance to MCP server auto-execution
Surface 1: npm provenance forgery—Sigstore certificates generated from stolen OIDC tokens pass automated verification even when the publish was never authorized
Surface 2: VS Code extension credential theft—a malicious Nx Console version published with stolen contributor tokens stayed live for 40 minutes and auto-updated to 6,000开发者 installations
Surface 3: MCP server auto-execution—all four major AI coding CLIs (Claude Code, Gemini CLI, Cursor CLI, Copilot CLI) default to “Yes” or “Trust” on project-defined MCP servers, spawning unsandboxed processes with full user privileges
Surface 4: CI/CD agent prompt injection—malicious pull request titles cause AI code review agents to post their own API keys as comments, a technique proven against GitHub’s Copilot Agent
Surface 5: Agent framework code execution—Microsoft’s Semantic Kernel Python SDK routes vector store filter fields into eval(), enabling code execution from poisoned documents
Surface 6: IDE credential storage exposure—Cursor stores API keys and session tokens in unprotected storage accessible to any browser extension
Surface 7: Shadow AI data exposure—the third most common insider action in DLP datasets is developers submitting source code to unauthorized AI platforms
Why no vendor sees the full picture
The critical finding here is that no single vendor security framework currently audits all seven attack surfaces. EDR monitors process behavior but doesn’t validate whether an LLM instructed an MCP server to access specific files. SAST tools analyze code quality but don’t track which executables spawn when a developer clicks “Trust” on a project folder. WAFs inspect HTTP payloads but miss tool-call intent flowing through AI agent frameworks.
This fragmentation isn’t a failure of implementation—it’s a structural gap in how security tools are designed. Each vendor optimizes for their specific perimeter, but supply chain integrity spans the boundary between authentication systems, package registries, IDEs, AI agents, and cloud infrastructure simultaneously. None of these tools were built to coordinate across that full attack chain.
Real-World Impact: The Nx Console and Mini Shai-Hulud Campaigns
The Nx Console incident on May 18 demonstrates the real-world mechanics of auto-update exploitation. Version 18.95.0 was published using stolen credentials and remained available for less than 40 minutes. During that window, Nx internal telemetry recorded approximately 6,000 activations—compared to just 28 official downloads from the registry.
The math is simple and alarming: 99.5% of the exposure came through auto-update rather than direct installation. Attackers don’t need developers to manually install malicious packages anymore—they compromise a maintainer account, publish a poisoned version, and wait for the update mechanism to do the rest.
Credentials harvested at scale
The payload deployed in the Nx Console attack was comprehensive in its targeting. It harvested Claude Code configuration files, AWS access keys, GitHub personal access tokens, npm tokens, 1Password vault contents, and Kubernetes service account tokens. This wasn’t opportunistic—every credential type targeted aligns precisely with the attack surfaces documented in the Verizon 2026 Data Breach Investigations Report, which found that 67% of employees access AI services from non-corporate devices on corporate networks.
Cross-package propagation
The Mini Shai-Hulud campaign (attributed to TeamPCP) propagated across the @antv data visualization ecosystem and dozens of unscoped packages, including echarts-for-react with approximately 1.1 million weekly downloads. Socket ultimately tracked 639 compromised versions across 323 unique packages in the initial wave, expanding to 1,055 malicious versions across 502 packages spanning npm, PyPI, and Composer over the full campaign lifecycle.
The cross-registry spread matters because it demonstrates supply chain risk radiating beyond any single ecosystem. An attacker compromising credentials in one package manager can pivot to others—and the provenance attestation they generate carries equal weight in each verification system.
Immediate Actions Developers Must Take
The window for passive observation is closing. Every day that passes without addressing these attack surfaces increases exposure to credential theft, supply chain compromise, and silent persistence in your dependency trees. Here’s what you need to do now.
Verify what your stack cannot see
Start by accepting that no green badge equals safety. Sigstore provenance verifies certificate validity—it does not verify authorization. If you’re pulling packages with significant weekly download counts, implement publish-time two-party approval before integrating new versions. Treat every provenance attestation as “someone with valid credentials signed this” rather than “this package is trustworthy.”
Audit your dependency update pipelines to understand how many of your transitive dependencies have automatic update enabled versus requiring manual approval. If you’re using dependabot or similar tools, verify they’re not silently accepting provenance-verified updates from packages with more than 10,000 weekly downloads without human checkpoint review.
Lock down MCP server and CI/CD configurations
Disable project-scoped MCP server auto-approval in Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI immediately. This single change blocks the attack vector that allows any folder-level trust dialog to spawn unsandboxed processes with your full privileges.
For CI/CD pipelines, migrate from pull_request_target to pull_request trigger wherever possible—the former injects secrets into runner environments that AI agents process as instructions, creating the exact condition Johns Hopkins researchers demonstrated in “Comment and Control.” Audit all existing workflows using pull_request_target with secret access and invalidate any credentials that may have flowed through those environments.
Pin critical extension versions in your IDEs rather than allowing auto-update to latest. The Nx Console incident showed that a 40-minute window was sufficient to compromise thousands of installations—an window your monitoring tools likely wouldn’t catch. Establish minimum-age policies for extension updates and audit all extensions requesting terminal or file system API access.
These aren’t theoretical recommendations. They’re the audit actions mapped directly to attack surfaces that failed in the past 48 hours. If your stack doesn’t cover these gaps today, assume you’re exposed tomorrow.
Hi, I’m Cary Huang — a tech enthusiast based in Canada. I’ve spent years working with complex production systems and open-source software. Through TechBuddies.io, my team and I share practical engineering insights, curate relevant tech news, and recommend useful tools and products to help developers learn and work more effectively.
