On May 19, 633 malicious npm package versions passed Sigstore provenance verification. These packages were approved because the attacker used valid signing certificates generated from a compromised maintainer account.
Sigstore functioned as intended by confirming the package was built in a CI environment, issuing a valid certificate, and logging the details in the transparency log. However, it cannot verify if the credential holder authorized the publication, allowing malicious intentions to blend in with legitimate activities.
One day prior, StepSecurity reported an attack on the Nx Console VS Code extension, a popular developer tool with over 2.2 million lifetime installs. Version 18.95.0 was released using stolen credentials on May 18 and was live for less than 40 minutes. During this time, roughly 6,000 activations occurred, mostly through auto-update, compared to only 28 official downloads. The attack extracted Claude Code configuration files, AWS keys, GitHub tokens, npm tokens, 1Password vault contents, and Kubernetes service account tokens.
The Mini Shai-Hulud campaign, linked by various researchers to a financially driven threat actor known as TeamPCP, targeted the npm registry at 01:39 UTC on May 19. Endor Labs identified the initial wave when two dormant packages, jest-canvas-mock and size-sensor, released new versions with an obfuscated 498KB Bun script. These packages had not been updated for over three years, making the sudden update with raw GitHub commit hash dependencies a potential detection signal, but only if the tools are actively monitoring.
By 02:06 UTC, the worm spread across the @antv data visualization ecosystem and numerous unscoped packages, including echarts-for-react, which has around 1.1 million weekly downloads. Socket increased the total to 639 compromised versions across 323 unique packages in this wave. Over the entire campaign, Socket tracked 1,055 malicious versions across 502 packages in npm, PyPI, and Composer.
StepSecurity verified that the payload included full Sigstore integration. The attacker didn’t just steal credentials; they were able to sign and publish downstream npm packages with valid provenance attestations.
These incidents are not isolated. Research teams from Endor Labs, Socket, StepSecurity, Adversa AI, Johns Hopkins, Microsoft MSRC, and LayerX independently demonstrated that the developer tool verification model is flawed, with no vendor framework auditing all the failed attack surfaces.
Seven attack surfaces failed in the 48 hours between May 18 and May 19, including npm provenance forgery, VS Code extension credential theft, MCP server auto-execution, CI/CD agent prompt injection, agent framework code execution, IDE credential storage exposure, and shadow AI data exposure. The audit grid below outlines each.
The verification model is broken across all four major AI coding CLIs
Adversa AI unveiled TrustFall on May 7, revealing that Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI all auto-execute project-defined MCP servers once a developer accepts a folder trust prompt. All four default to “Yes” or “Trust,” allowing a single keypress to initiate an unsandboxed process with full developer privileges.
The MCP server operates with sufficient privileges to access stored secrets and source code from other projects. On CI runners utilizing Claude Code’s GitHub Action in headless mode, the trust dialog is never shown, enabling the attack to proceed without human interaction.
Researchers Aonan Guan, Zhengyu Liu, and Gavin Zhong from Johns Hopkins published “Comment and Control,” demonstrating that a malicious instruction in a GitHub pull request title could cause Claude Code Security Review to disclose its own API key as a comment. This attack also worked on Google’s Gemini CLI Action and GitHub’s Copilot Agent, with Anthropic rating the vulnerability CVSS 9.4 Critical through its HackerOne program.
Microsoft MSRC reported two critical vulnerabilities in the Semantic Kernel on May 7. One vulnerability routes attacker-controlled vector store fields into a Python eval() call, while the other exposes a host-side file download method as a callable kernel function, allowing a poisoned document in a vector store to initiate a process on the host.
LayerX security researchers independently showed that Cursor stores API keys and session tokens in unprotected storage, making them accessible to any installed browser extension without elevated permissions.
The threat actors hunting these credentials doubled their operational tempo
The Verizon 2026 Data Breach Investigations Report, released on May 19, revealed that 67% of employees access AI services from non-corporate accounts on corporate devices. Shadow AI has become the third most common non-malicious insider action in DLP datasets. Source code is the most frequently submitted data type to unauthorized AI platforms, which the npm worm campaign also targeted.
The CrowdStrike 2026 Financial Services Threat Landscape Report, released on May 14, details the adversaries actively seeking the credential types harvested in these attacks.
STARDUST CHOLLIMA increased its attacks on financial entities threefold in Q4 2025. CrowdStrike documented the group using AI-generated recruiter personas on LinkedIn and Telegram, distributing malicious coding challenges resembling technical assessments, and hosting fake video calls in synthetic environments. Their targets include GitHub PATs, npm tokens, AWS keys, and CI/CD secrets. The shadow AI exposure in grid row 7 is the entry point they exploit.
Developer Tool Stolen-Identity Audit Grid
No vendor framework currently covers all seven surfaces. This grid maps each one to the research that exposed it, what your stack cannot detect, and the audit action to take before the next vendor renewal.
|
Attack Surface |
Disclosed By |
What Verification Failed |
What Your Stack Cannot See |
Audit Action |
|
1. npm provenance forgery |
Endor Labs, Socket (May 19) |
Sigstore certificates generated from stolen OIDC tokens pass automated verification |
EDR and SAST do not verify if the CI identity that signed a package authorized the publish |
Require publish-time two-party approval for packages with more than 10,000 weekly downloads. Do not consider a green Sigstore badge as proof of authenticity |
|
2. VS Code extension credential theft |
StepSecurity (May 18) |
VS Code Marketplace accepted a malicious extension version published with a stolen contributor token |
Extension auto-updates bypass endpoint detection. Marketplace window 12:30 to 12:48 UTC; overall exposure (including Open VSX) 12:30 to 13:09 UTC |
Enforce minimum-age policies for extension updates. Pin critical extension versions. Audit all extensions with access to terminal or file system APIs |
|
3. MCP server auto-execution |
Adversa AI, TrustFall (May 7) |
All four CLI trust dialogs default to “Yes/Trust” without detailing which executables will spawn |
EDR monitors process behavior, not what an LLM instructs an MCP server to do. WAF inspects HTTP payloads, not tool-call intent |
Disable project-scoped MCP server auto-approval in Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. Block .mcp.json in CI pipelines unless explicitly allowlisted |
|
4. CI/CD agent prompt injection |
Johns Hopkins, Comment and Control (April 2026) |
GitHub Actions workflows using pull_request_target inject secrets into runner environments that AI agents process as instructions |
SIEM logs show an API call from a legitimate GitHub Action. The call itself is the attack. No anomalous network signature exists |
Migrate AI code review workflows to pull_request trigger. Audit all workflows using pull_request_target with secret access for AI agent integrations |
|
5. Agent framework code execution |
Microsoft MSRC (May 7) |
Semantic Kernel Python SDK routed vector store filter fields into eval(). .NET SDK exposed host file-write as a callable kernel function |
Application firewalls inspect input payloads. They do not inspect how an orchestration framework parses those payloads internally |
Update Semantic Kernel Python SDK to 1.39.4 and .NET SDK to 1.71.0. Audit all agent frameworks for functions tagged as model-callable that access host file system or shell |
|
6. IDE credential storage exposure |
LayerX (April 2026) |
Cursor stores API keys and session tokens in unprotected storage accessible to any installed browser extension |
DLP monitors data in transit. Cursor credentials at rest are invisible to DLP because no egress event occurs until the extension exfiltrates |
Audit developer tools for credential storage practices. Require protected storage (OS keychain, encrypted credential stores) for all AI coding tool configurations |
|
7. Shadow AI data exposure |
Verizon 2026 DBIR (May 19) |
67% of employees access AI services from non-corporate accounts on corporate devices. Source code is the leading data type submitted |
CASB policies cover sanctioned SaaS. Non-corporate AI accounts on corporate devices operate outside CASB scope entirely |
Deploy browser-layer AI governance that monitors non-corporate AI usage on corporate devices. Inventory AI browser extensions across the organization |
Security director action plan
Security directors should assess this grid against existing vendor contracts before Q2 renewals conclude—inquiring with each vendor about which of the seven surfaces their product addresses, and using non-answers to identify gaps.
Any credential accessible from a developer machine or CI runner that installed affected npm packages between 01:39 and 02:18 UTC on May 19 should be considered compromised. This includes GitHub PATs, npm tokens, AWS access keys, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, and 1Password vault contents.
AI coding agent integrations running in CI/CD pipelines with pull_request_target workflows require careful examination. Each represents a prompt injection surface that interprets PR comments as agent instructions.
Procurement teams evaluating AI coding tools should consider adding a stolen-identity resistance evaluation to vendor assessments. The critical question is: can the vendor demonstrate how their tool differentiates between a legitimate maintainer publication and an attacker’s use of compromised credentials? If not, the tool does not serve as a verification layer.
The developer tool supply chain faces a challenge similar to what IAM encountered a decade ago: credentials confirm identity claims, not actual identity. IAM had a decade to implement compensating controls before nation-state groups industrialized credential theft. The AI coding tool ecosystem is now beginning that journey.
