npm supply chain: valid certificates, stolen accounts

https://images.ctfassets.net/jdtwqhzvc2n1/3fqnou87sWjHiEvKupJyGB/9de43fb83d1bb45c4f9cc6f4d9f8fb3c/hero.png?w=800&q=75

On May 19, 633 malicious npm package versions passed Sigstore provenance verification. They were cleared by the system because the attacker had generated valid signing certificates from a compromised maintainer account.

Sigstore worked exactly as designed: it verified the package was built in a CI environment, confirmed a valid certificate was issued, and recorded everything in the transparency log. What it cannot do is determine whether the person holding the credentials authorized the publish — and that gap turned the last automated trust signal in npm into camouflage.

One day earlier, StepSecurity documented an attack on the Nx Console VS Code extension, a widely used developer tool with more than 2.2 million lifetime installs. Version 18.95.0 was published using stolen credentials on May 18 and stayed live for under 40 minutes — but Nx internal telemetry showed approximately 6,000 activations during that window, most through auto-update, compared to...

Copyright of this story solely belongs to venturebeat.com. To see the full text click HERE