On May 19, 633 malicious npm package versions passed Sigstore provenance verification. They were cleared by the system because the attacker had generated valid signing certificates from a compromised maintainer account.
Sigstore worked exactly as designed: it verified the package was built in a CI environment, confirmed a valid certificate was issued, and recorded everything in the transparency log. What it cannot do is determine whether the person holding the credentials authorized the publish — and that gap turned the last automated trust signal in npm into camouflage.
One day earlier, StepSecurity documented an attack on the Nx Console VS Code extension, a widely used developer tool with more than 2.2 million lifetime installs. Version 18.95.0 was published using stolen credentials on May 18 and stayed live for under 40 minutes — but Nx internal telemetry showed approximately 6,000 activations during that window, most through auto-update, compared to just 28 official downloads. The payload harvested Claude Code configuration files, AWS keys, GitHub tokens, npm tokens, 1Password vault contents, and Kubernetes service account tokens.
The Mini Shai-Hulud campaign, attributed by multiple researchers to a financially motivated threat actor identified as TeamPCP, hit the npm registry at 01:39 UTC on May 19. Endor Labs detected the initial wave when two dormant packages, jest-canvas-mock and size-sensor, published new versions containing an obfuscated 498KB Bun script — neither had been updated in over three years, making a sudden version with raw GitHub commit hash dependencies a detection signal, but only if the tooling is watching.
By 02:06 UTC, the worm had propagated across the @antv data visualization ecosystem and dozens of unscoped packages, including echarts-for-react (~1.1 million weekly downloads). Socket raised the total to 639 compromised versions across 323 unique packages in this wave. Across the full campaign lifecycle, Socket has tracked 1,055 malicious versions across 502 packages spanning npm, PyPI, and Composer.
StepSecurity confirmed the payload contained full Sigstore integration. The attacker didn't just steal credentials; they could sign and publish downstream npm packages that carried valid provenance attestations.
These two incidents aren’t isolated. Research teams at Endor Labs, Socket, StepSecurity, Adversa AI, Johns Hopkins, Microsoft MSRC, and LayerX independently proved that the developer tool verification model is broken, and no vendor framework audits all of the attack surfaces that failed.
Seven attack surfaces failed in the 48 hours between May 18 and May 19 — npm provenance forgery, VS Code extension credential theft, MCP server auto-execution, CI/CD agent prompt injection, agent framework code execution, IDE credential storage exposure, and shadow AI data exposure — and the audit grid below maps each.
The verification model is broken across all four major AI coding CLIs
Adversa AI disclosed TrustFall on May 7, demonstrating that Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI all auto-execute project-defined MCP servers the moment a developer accepts a folder trust prompt. All four default to “Yes” or “Trust.” One keypress spawns an unsandboxed process with the developer’s full privileges.
The MCP server runs with enough privilege to read stored secrets and source code from other projects. On CI runners using Claude Code’s GitHub Action in headless mode, the trust dialog never renders. The attack executes with zero human interaction.
Johns Hopkins researchers Aonan Guan, Zhengyu Liu, and Gavin Zhong published “Comment and Control,” proving that a malicious instruction in a GitHub pull request title caused Claude Code Security Review to post its own API key as a comment. The same attack worked on Google’s Gemini CLI Action and GitHub’s Copilot Agent. Anthropic rated the vulnerability CVSS 9.4 Critical through its HackerOne program.
Microsoft MSRC disclosed two critical Semantic Kernel vulnerabilities on May 7. One routes attacker-controlled vector store fields into a Python eval() call; the other exposes a host-side file download method as a callable kernel function — meaning one poisoned document in a vector store launches a process on the host.
LayerX security researchers separately demonstrated that Cursor stores API keys and session tokens in unprotected storage, meaning any browser extension can access developer credentials without elevated permissions.
The threat actors hunting these credentials doubled their operational tempo
The Verizon 2026 Data Breach Investigations Report, released May 19, found that 67% of employees access AI services from non-corporate accounts on corporate devices. Shadow AI is now the third most common non-malicious insider action in DLP datasets. Source code leads all data types submitted to unauthorized AI platforms — the same asset class the npm worm campaign targeted.
The CrowdStrike 2026 Financial Services Threat Landscape Report, released May 14, documents the adversaries actively hunting the credential types these attacks harvest.
STARDUST CHOLLIMA tripled its operational tempo against financial entities in Q4 2025. CrowdStrike documented the group using AI-generated recruiter personas on LinkedIn and Telegram, sending malicious coding challenges that looked like technical assessments, and running fake video calls with synthetic environments. The targets are GitHub PATs, npm tokens, AWS keys, and CI/CD secrets. The shadow AI exposure in grid row 7 is the door they walk through.
Developer Tool Stolen-Identity Audit Grid
No vendor framework currently scopes all seven surfaces. This grid maps each one to the research that exposed it, what your stack cannot see, and the audit action to take before the next vendor renewal.
Attack Surface | Disclosed By | What Verification Failed | What Your Stack Cannot See | Audit Action |
1. npm provenance forgery | Endor Labs, Socket (May 19) | Sigstore certificates generated from stolen OIDC tokens pass automated verification | EDR and SAST do not validate whether the CI identity that signed a package authorized the publish | Require publish-time two-party approval for packages with more than 10,000 weekly downloads. Do not treat a green Sigstore badge as proof of legitimacy |
2. VS Code extension credential theft | StepSecurity (May 18) | VS Code Marketplace accepted a malicious extension version published with a stolen contributor token | Extension auto-updates bypass endpoint detection. Marketplace window 12:30 to 12:48 UTC; overall exposure (including Open VSX) 12:30 to 13:09 UTC | Enforce minimum-age policies for extension updates. Pin critical extension versions. Audit all extensions with access to terminal or file system APIs |
3. MCP server auto-execution | Adversa AI, TrustFall (May 7) | All four CLI trust dialogs default to “Yes/Trust” without enumerating which executables will spawn | EDR monitors process behavior, not what an LLM instructs an MCP server to do. WAF inspects HTTP payloads, not tool-call intent | Disable project-scoped MCP server auto-approval in Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. Block .mcp.json in CI pipelines unless explicitly allowlisted |
4. CI/CD agent prompt injection | Johns Hopkins, Comment and Control (April 2026) | GitHub Actions workflows using pull_request_target inject secrets into runner environments that AI agents process as instructions | SIEM logs show an API call from a legitimate GitHub Action. The call itself is the attack. No anomalous network signature exists | Migrate AI code review workflows to pull_request trigger. Audit all workflows using pull_request_target with secret access for AI agent integrations |
5. Agent framework code execution | Microsoft MSRC (May 7) | Semantic Kernel Python SDK routed vector store filter fields into eval(). .NET SDK exposed host file-write as a callable kernel function | Application firewalls inspect input payloads. They do not inspect how an orchestration framework parses those payloads internally | Update Semantic Kernel Python SDK to 1.39.4 and .NET SDK to 1.71.0. Audit all agent frameworks for functions tagged as model-callable that access host file system or shell |
6. IDE credential storage exposure | LayerX (April 2026) | Cursor stores API keys and session tokens in unprotected storage accessible to any installed browser extension | DLP monitors data in transit. Cursor credentials at rest are invisible to DLP because no egress event occurs until the extension exfiltrates | Audit developer tools for credential storage practices. Require protected storage (OS keychain, encrypted credential stores) for all AI coding tool configurations |
7. Shadow AI data exposure | Verizon 2026 DBIR (May 19) | 67% of employees access AI services from non-corporate accounts on corporate devices. Source code is the leading data type submitted | CASB policies cover sanctioned SaaS. Non-corporate AI accounts on corporate devices operate outside CASB scope entirely | Deploy browser-layer AI governance that monitors non-corporate AI usage on corporate devices. Inventory AI browser extensions across the organization |
Security director action plan
Security directors may want to run this grid against current vendor contracts before Q2 renewals close — asking each vendor which of the seven surfaces their product covers, and treating the non-answers as the gap map.
Any credential accessible from a developer machine or CI runner that installed affected npm packages between 01:39 and 02:18 UTC on May 19 should be considered compromised. That includes GitHub PATs, npm tokens, AWS access keys, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, and 1Password vault contents.
AI coding agent integrations running in CI/CD pipelines with pull_request_target workflows deserve a close look. Each one is a prompt injection surface that processes PR comments as agent instructions.
Procurement teams evaluating AI coding tools should consider adding a stolen-identity resistance dimension to vendor assessments. The question worth asking: can the vendor demonstrate how their tool distinguishes a legitimate maintainer publish from an attacker using compromised credentials? If they cannot, the tool is not a verification layer.
The developer tool supply chain has the same problem IAM had a decade ago: credentials prove who you claim to be, not who you are. IAM got a 10-year head start on compensating controls before nation-state groups turned credential theft into an industrial operation. The AI coding tool ecosystem is starting that clock now.