633 malicious npm package versions on May 19 Sigstore origin verification passed. They were deleted by the system because the attacker created valid signing certificates from a stolen maintenance account.
Sigstore worked exactly as intended: it verified that the package was installed in the CI environment, confirmed that a valid certificate was issued, and logged everything in the transparency log. What it can’t do is determine whether the person with the credentials is authorized to publish – and this loophole camouflaged the last automated trust signal in npm.
A day ago, StepSecurity Documented an attack on the Nx Console VS Code extensionWidely used developer tool with over 2.2 million lifetime installs. Version 18.95.0 was published on May 18 using stolen credentials and was live for less than 40 minutes – but Nx’s internal telemetry showed around 6,000 activations during that window, most via automatic updates, compared to just 28 official downloads. The payload collected Claude Code configuration files, AWS keys, GitHub tokens, npm tokens, 1Password repository contents, and Kubernetes service account tokens.
The Mini Shai-Hulud campaign19 May 01:39 UTC, which is attributed to a financially motivated threat actor identified by many researchers as TeamPCP, was logged into the npm registry. Endor Labs detected the initial wave when two dormant packages, gesture-canvas-mock and size-sensor, published new versions containing a mixed 498KB Bun script – neither of which had been updated in over three years, and the raw GitHub hash with dependencies turned a sudden version detection signal, but only if the tools were looking.
At 02:06 UTC, the worm spread across the @antv data visualization ecosystem and dozens of uncapped packages, including echarts for reaction (~1.1 million weekly downloads). Socket increased the total number of 323 unique packages to 639 discounted versions in this wave. Over the entire lifetime of the campaign, Socket tracked 1,055 malicious versions across 502 packages covering npm, PyPI, and Composer.
StepSecurity has confirmed that the payload contains full Sigstore integration. The attacker didn’t just steal credentials; they could sign and publish downstream npm packages carrying trusted origin certificates.
These two events are not isolated. Research teams at Endor Labs, Socket, StepSecurity, Adversa AI, Johns Hopkins, Microsoft MSRC, and LayerX have independently proven that the developer tool validation model is broken, and that no vendor framework validates all attack surfaces that fail.
In the 48 hours between May 18th and May 19th, seven attack surfaces failed—npm origin spoofing, VS Code extension credential theft, MCP server auto-execution, CI/CD agent prompt injection, agent framework code execution, IDE credential storage exposure, and shadow AI data exposure—and each audit data network below.
The authentication model is broken in all four major AI coding CLIs
Enemy AI TrustFall announced On May 7, Claude Code demonstrated that the Gemini CLI, Cursor CLI, and Copilot CLI all automatically execute project-defined MCP servers as soon as a developer receives a directory trust request. Four defaults to “Yes” or “Trust”. Clicking a button spawns an unprotected process with full developer privileges.
The MCP server runs with sufficient privileges to read stored secrets and source code from other projects. The trust dialog is never displayed in CI runners using Claude Code’s GitHub Activity in headless mode. The attack is performed with zero human interaction.
Johns Hopkins researchers Aonan Guan, Zhengyu Liu and Gavin Zhong “Commentary and Review,” proved that a malicious directive in a GitHub pull request header caused Claude Code Security Review to post its API key as a comment. The same attack also worked on Google’s Gemini CLI Action and GitHub’s Kopilot Agent. Anthropic evaluated the CVSS 9.4 Critical vulnerability through the HackerOne program.
Microsoft MSRC disclosed two critical Semantic Kernel vulnerabilities On May 7. One redirects the attacker-controlled vector storage fields to the Python eval() call; the other exposes a host-side file upload method as a callable kernel function, meaning that a poisoned file in the vector store starts a process on the host.
LayerX security researchers also demonstrated that Cursor stores API keys and session tokens in unprotected memory, meaning any browser extension can obtain developer credentials without elevated permissions.
Threat actors preying on these credentials have doubled their transaction rates
The Verizon 2026 Data Breach Investigations ReportA study released on May 19 found that 67% of employees access AI services from non-corporate accounts on corporate devices. Shadow AI is now the third most common non-malicious insider action in DLP datasets. Source code drives all types of data submitted to unauthorized AI platforms – the same asset class targeted by the npm worm campaign.
The CrowdStrike 2026 Financial Services Threat Landscape Reportdocuments released on May 14 that adversaries are actively hunting the types of credentials these attacks harvest.
STARDUST CHOLLIMA tripled transaction pace against financial institutions in Q4 2025. CrowdStrike documented the group using AI-generated recruiters on LinkedIn and Telegram, sending malicious coding challenges posing as technical assessments and conducting fake video calls with synthetic environments. Targets are GitHub PATs, npm tokens, AWS keys, and CI/CD secrets. The shadow AI exposure on grid row 7 is the door they pass through.
Developer Tool Stolen Identity Audit Network
Currently, no vendor framework covers all seven surfaces. This grid maps each one to the investigation that exposed it, the audit action your stack can’t see, and the audit action to take before the next vendor update.
|
Attack Surface |
announced by |
Which Verification Failed |
What Your Stack Can’t See |
Audit Activity |
|
1. Fake npm origin |
Endor Labs, Socket (May 19) |
Sigstore certificates generated from stolen OIDC tokens undergo automated validation |
EDR and SAST do not validate whether the identity of the CI signing the package is authorized to publish. |
For packages with more than 10,000 weekly downloads, require two-way verification at the time of publication. Don’t treat the green Sigstore badge as proof of legitimacy |
|
2. VS Code extension credential theft |
StepSecurity (May 18) |
VS Code Marketplace has received a malicious extension version published with a stolen contributor token |
The extension updates automatically, bypassing endpoint detection. Sunday window 12:30 – 12:48 UTC; total exposure (including Open VSX) 12:30 – 13:09 UTC |
Enforce minimum age policies for incremental updates. Close critical extension versions. Check all extensions that have access to terminal or file system APIs |
|
3. Automatic execution of the MCP server |
Negative AI, TrustFall (May 7) |
All four CLI trust dialogs default to “Yes/Trust” without listing which executables to spawn. |
EDR monitors the behavior of the process, not what the LLM instructs the MCP server to do. WAF inspects HTTP payloads, not tool call intent |
Disable project-wide MCP server auto-validation in Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. Block the .mcp.json file in CI pipelines unless it is explicitly included in the whitelist |
|
4. Immediate injection of CI/CD agent |
Johns Hopkins, Commentary and Review (April 2026) |
GitHub Actions workflows using pull_request_target inject secrets into runtimes where AI agents run as instructions |
SIEM logs show an API call from a legitimate GitHub Activity. The call itself is an attack. No abnormal network signature |
Move AI code review workflows to pull_request trigger. Check all workflows using pull_request_target with hidden access for AI agent integration |
|
5. Agent framework code execution |
Microsoft MSRC (May 7) |
Semantic Kernel Python SDK redirected vector storage filter fields to eval(). The .NET SDK exposes host file-writing as a callable kernel function |
Application firewalls inspect incoming payloads. They don’t check how the orchestration framework parses these payloads internally |
Update the Semantic Kernel Python SDK to 1.39.4 and the .NET SDK to 1.71.0. Check all agent frameworks for functions that can be modeled into the host file system or shell |
|
6. Exposure to IDE Credential Retention |
LayerX (April 2026) |
Cursor stores API keys and session tokens in unprotected memory accessible to any installed browser extension |
DLP controls the data being transmitted. Cursor credentials at rest are invisible to DLP because no exit event occurs until the extension is exfiltrated. |
Check the developer tools for credential storage practices. Require protected storage for all AI coding tool configurations (OS key, encrypted credential store) |
|
7. Disclosure of Shadow AI Data |
Verizon 2026 DBIR (May 19) |
67% of employees access AI services from non-corporate accounts on corporate devices. Source code is the leading data type provided |
CASB policies cover sanctioned SaaS. Non-corporate AI accounts on corporate devices operate completely outside the scope of CASB |
Deploy browser-level AI governance that controls non-corporate AI usage on corporate devices. Inventory AI browser extensions across the organization |
Safety director action plan
Security directors may want to run this network against existing vendor contracts before Q2 updates close — asking each vendor which of the seven surfaces their product covers and treating non-answers as a gap map.
Any credentials accessible by a developer machine or CI runner installing the affected npm packages between 01:39 and 02:18 UTC on May 19 should be considered compromised.. This includes GitHub PATs, npm tokens, AWS access keys, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, and 1Password vault contents.
AI coding agent integrations running in CI/CD pipelines with pull_request_target workflows deserve a closer look. Each is an operational injection surface that processes PR comments as agent instructions.
Procurement teams evaluating AI coding tools should consider adding a stolen identity resistance measure to their vendor evaluations. A question worth asking: can the vendor demonstrate how its tool differentiates a legitimate custodian from an attacker using compromised credentials? If they cannot do this, the tool is not a validation layer.
The developer tool supply chain has the same problem IAM had a decade ago: credentials prove who you are, not who you are. IAM got a 10-year head start on compensation control before nation-state groups turned credential theft into an industry operation. The AI coding tool ecosystem is now running that clock.
