Skip to main content
See every side of every news story
Get Started
SubscribeLogin
Published loading...Updated

Npm Supply Chain: Valid Certificates, Stolen Accounts

Summary by VentureBeat
On May 19, 633 malicious npm package versions passed Sigstore provenance verification. They were cleared by the system because the attacker had generated valid signing certificates from a compromised maintainer account.Sigstore worked exactly as designed: it verified the package was built in a CI environment, confirmed a valid certificate was issued, and recorded everything in the transparency log. What it cannot do is determine whether the pers…

5 Articles

VentureBeatVentureBeat
Center

npm supply chain: valid certificates, stolen accounts

On May 19, 633 malicious npm package versions passed Sigstore provenance verification. They were cleared by the system because the attacker had generated valid signing certificates from a compromised maintainer account.Sigstore worked exactly as designed: it verified the package was built in a CI environment, confirmed a valid certificate was issued, and recorded everything in the transparency log. What it cannot do is determine whether the pers…

·San Francisco, United States
Read Full Article
techiexpert.comtechiexpert.com

Microsoft Tracks Mini Shai Hulud Malware Infiltrating the AntV Ecosystem

Reading Time: 3 minutesKey Takeaways: Hackers took over a developer’s account to put bad code into common packages like @antv/g2 and echarts-for-react. The bad code runs automatically during installation, instantly stealing passwords and security keys. The malware uses stolen keys to infect  software packages across the internet. If these packages were used, the software folders must be deleted and all computer passwords changed immediately. A …

Read Full Article
Cyber Security NewsCyber Security News
Reposted by
IT Security News - cybersecurity, infosecurity newsIT Security News - cybersecurity, infosecurity news

Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials

A new and sophisticated supply chain attack has been uncovered, targeting one of the most trusted corners of the open-source software world. Dubbed “Mini Shai-Hulud,” this campaign went after the @antv npm package ecosystem, a collection of widely used data visualization libraries powering dashboards and applications for developers globally. The attack was quiet, precise, and designed to cause maximum damage before anyone noticed. What made this…

Read Full Article
digitalmarketreports.comdigitalmarketreports.com

Hackers Launch Automated Mini Shai Hulud Supply Chain Attack Targeting Open Source Developer Packages

Cybersecurity compliance firms StepSecurity and SafeDep discovered a coordinated open-source software supply-chain attack that hijacked developer credentials to distribute malicious code updates to downstream users. The automated campaign targeted widely used programming components across public registries, infecting over 320 distinct software packages to harvest sensitive credentials from development environments. Security investigators traced …

Read Full Article
Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/yearSubscribe

Bias Distribution

  • 100% of the sources are Center
100% Center

Factuality Info Icon

To view factuality data please Upgrade to Premium

Ownership

Info Icon

To view ownership data please Upgrade to Vantage

digitalmarketreports.com broke the news on Thursday, May 21, 2026.
Too Big Arrow Icon
Sources are mostly out of (0)

Similar News Topics

Software icon

Software

Supply Chain icon

Supply Chain

Microsoft icon

Microsoft

Cyberattacks icon

Cyberattacks

Cybersecurity icon

Cybersecurity

Business & Markets icon

Business & Markets

News
Feed Dots Icon
For You
Search Icon
SearchBlindspot LogoBlindspotLocal