On May 19, 633 malicious npm package versions passed SigStore provenance verification. They were scrubbed by the system because the attacker generated valid signing certificates from a compromised maintainer account.
SigStore worked exactly as designed: it verified that the package was built in a CI environment, confirmed that a valid certificate was issued, and recorded everything in the transparency log. It cannot determine whether the person holding the credentials authorized the publication – and that gap camouflaged the last automatic trust signal in npm.
A day earlier, StepSecurity documented an attack on the NX Console VS Code extension, a widely used developer tool with over 2.2 million lifetime installs. Version 18.95.0 was published using stolen credentials on May 18 and was live for less than 40 minutes – but NX internal telemetry showed nearly 6,000 activations during that window, the majority of which were via auto-updates, compared to only 28 official downloads. The payload collected Cloud Code configuration files, AWS keys, GitHub tokens, npm tokens, 1Password Vault contents, and Kubernetes service account tokens.
The mini Shai-Hulud campaign, attributed to a financially motivated threat actor identified by multiple researchers as TeamPCP, hit the npm registry at 01:39 UTC on May 19. Andor Labs detected the initial wave when two defunct packages, jest-canvas-mock and shape-sensor, published new versions containing an obscure 498KB bun script – neither of which had been updated in three years, making a sudden version with raw GitHub commit hashes and dependencies an identification signal, but only if the tooling was looking.
By 02:06 UTC, the worm had spread to the @antv data visualization ecosystem and dozens of unscoped packages, including echarts-for-react (~1.1 million weekly downloads). Socket.org raised a total of 639 compromised variants in 323 unique packages in this wave. Over the entire campaign lifecycle, Socket has tracked 1,055 malicious variants in 502 packages spanning npm, PyPI, and composer.
StepSecurity confirmed that the payload includes full SigStore integration. The attacker didn’t just steal credentials; They can sign and publish downstream npm packages that have valid origin certifications.
These two incidents are not different. Research teams from Andor Labs, Socket, StepSecurity, Adversa AI, Johns Hopkins, Microsoft MSRC, and LayerX independently proved that the developer tools validation model is broken, and no vendor framework audits all attack surfaces that fail.
Seven attack surfaces failed in the 48 hours between May 18 and May 19 – NPM provenance forgery, VS Code extension credential theft, MCP server auto-execution, CI/CD agent prompt injection, agent framework code execution, IDE credential storage exposure, and shadow AI data exposure – and the audit grid below maps each.
Verification model broken down across all four major AI coding CLIs
Adversa AI disclosed a trustfall on May 7, showing that Cloud Code, Gemini CLI, Cursor CLI, and Copilot CLI all auto-execute project-defined MCP servers when a developer folder accepts the trust prompt. All four default to “yes” or “trusted”. A keypress spawns an unsandbox process with full developer privileges.
The MCP server runs with enough privileges to read stored secrets and source code from other projects. On CI runners using Cloud Code’s GitHub Actions in headless mode, the trust dialog never presents. The attack is executed with zero human interaction.
Johns Hopkins researchers Aonan Guan, Zhengyu Liu, and Gavin Zhong published “Comments and Control”, proving that a malicious directive in the GitHub pull request header caused Cloud Code Security Review to post its API key as a comment. The same attack worked on Google’s Gemini CLI action and GitHub’s Copilot agent. Anthropic rated the vulnerability CVSS 9.4 Critical through its HackerOne program.
Microsoft MSRC disclosed two critical semantic kernel vulnerabilities on May 7. Routes an attacker-controlled vector store field to a Python eval() call; The second exposes the host-side file download method as a callable kernel function – meaning that a poisoned document in the vector store launches a process on the host.
LayerX security researchers separately demonstrated that Cursor stores API keys and session tokens in insecure storage, meaning any browser extension can access developer credentials without elevated permissions.
Threat actors preying on these credentials doubled their operating speed
The Verizon 2026 data breach investigation report released on May 19 found that 67% of employees accessed AI services from non-corporate accounts on corporate devices. Shadow AI is now the third most common non-malicious insider action in DLP datasets. The source code leads all data types submitted to unauthorized AI platforms – the same asset class that the NPM worm campaign targeted.
The CrowdStrike 2026 Financial Services Threat Landscape Report, released on May 14, notes that adversaries are actively looking for credible variants of these attacks.
STARDUST CHOLLIMA triples its operating speed against financial institutions in Q4 2025. CrowdStrike documented the group using AI-generated recruiter personas on LinkedIn and Telegram, sending malicious coding challenges that looked like technical assessments, and running fake video calls with synthetic environments. The targets are GitHub PATs, npm tokens, AWS keys, and CI/CD secrets. The shadow AI exposure in grid row 7 is the door they go through.
Developer Tools Piracy-Detection Audit Grid
No vendor framework currently covers all seven surfaces. This grid maps each to the research that uncovered it, what your stack can’t see, and the audit actions to be taken before the next vendor renewal.
| attack surface |
Revealed by |
Did verification fail? |
What your pile can’t see |
audit action |
|
1. NPM Origin Fake |
Andor Labs, Socket (May 19) |
SigStore certificates generated from stolen OIDC tokens pass automated verification |
EDR and SAST do not verify whether the CI identity signing the package authorized publication. |
Packages with more than 10,000 weekly downloads require two-party approval at publish-time. Do not consider the green SigStore badge as proof of validity |
|
2. VS Code Extension Credential Stealing |
StepSecurity (May 18) |
VS Code Marketplace accepted a malicious extension version published with stolen contributor tokens |
Extension bypasses auto-update endpoint detection. Marketplace window 12:30 to 12:48 UTC; Overall exposure (including Open VSX) 12:30 to 13:09 UTC |
Enforce minimum age policies for extension updates. Pin important extension versions. Audit all extensions that access terminal or file system APIs |
|
3. MCP Server Auto-Execution |
Adversa AI, Trustfall (May 7) |
All four CLI trust dialogs are set to “yes/trust” by default, without specifying which executable will be |
EDR monitors process behavior, not what the LLM instructs the MCP server to do. WAF inspects HTTP payload, not tool-call intent |
Disable project-scoped MCP server auto-approval in Cloud Code, Gemini CLI, Cursor CLI, and Copilot CLI. Block .mcp.json in CI pipelines unless explicitly listed allowing |
|
4. CI/CD agent prompt injection |
Johns Hopkins, Comment and Control (April 2026) |
GitHub Actions uses pull_request_target to inject secrets into the Workflow Runner environment that AI agents process as instructions |
SIEM logs show an API call from a legitimate GitHub Action. The call itself is an attack. No unusual network signatures exist |
Migrate AI code review workflow to pull_request trigger. Audit all workflows using pull_request_target with secret access for AI agent integration |
|
5. Agent Framework Code Execution |
Microsoft MSRC (May 7) |
The Semantic Kernel Python SDK routed vector store filter fields to eval(). .NET SDK exposes host file-write as a callable kernel function |
Application firewalls inspect the input payload. They do not inspect how the orchestration framework parses those payloads internally |
Update the Semantic Kernel Python SDK to 1.39.4 and the .NET SDK to 1.71.0. Audit all agent frameworks that access the host file system or shell for functions tagged as model-callable |
|
6. IDE Credential Storage Exposure |
LayerX (April 2026) |
Cursor stores the API key and session token in insecure storage accessible to any installed browser extensions. |
DLP monitors data in transit. Cursor credentials at rest are invisible to DLP as no exit event occurs until the extension exits |
Audit developer tools for credential storage practices. Requires protected storage (OS Keychain, encrypted credential store) for all AI coding tool configuration |
|
7. Shadow AI Data Exposure |
Verizon 2026 DBIR (May 19) |
67% of employees use AI services from non-corporate accounts on corporate devices. Source code is the main data type submitted |
CASB policies cover approved SaaS. Non-corporate AI accounts on corporate devices operate entirely outside the CASB scope |
Deploy browser-layer AI governance that monitors non-corporate AI use on corporate devices. Organization-wide Inventory AI browser extension |
Security Director Action Plan
Security Directors may want to run this grid against current vendor contracts before the Q2 renewal close – Asking each vendor which of the seven surfaces their product covers, and treating non-answers as an interval map.
Any credentials obtained from a developer machine or CI runner that installed the affected npm package between 01:39 and 02:18 UTC on May 19 should be considered compromised.. This includes GitHub PATs, npm tokens, AWS access keys, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, and 1Password Vault content.
It’s worth taking a closer look at ongoing AI coding agent integration into CI/CD pipelines with the pull_request_target workflow. Each is a quick injection surface that processes PR comments as agent instructions.
Procurement teams evaluating AI coding tools should consider adding an identity theft resistance dimension to vendor evaluation. Questions to ask: Can the vendor demonstrate how their tool differentiates a legitimate maintainer publication from an attacker using compromised credentials? If they can’t, the device doesn’t have the verification layer.
The developer tools supply chain has the same problem that IAM had a decade ago: Credentials prove who you claim to be, not who you are. IAM had a 10-year lead on compensation controls before nation-state groups turned credential theft into an industrial operation. The AI coding tools ecosystem is starting that clock now.
<a href