Threat actors earlier today published more than 600 malicious packages to the npm index as part of a new Shai-Hulud supply-chain campaign. Most of the affected packages are in the @antv ecosystem, which includes libraries for charting, graph visualization, building flowcharts, and mapping.
Commenting on this news is Dan Moore, Sr. Director, CIAM Strategy & Identity Standards at FusionAuth:
“In the OIDC/OAuth security model, tokens are short-lived by design. OIDC assumes you authenticate for a specific operation and the token expires in a timely fashion. That’s what’s supposed to happen but in practice many CI/CD pipelines and services don’t yet use these.
What is scary about this attack is that OIDC tokens were abused and used to submit artifacts to Fulcio and Reko, core components of the Sigstore project. The Sigstore project is an ecosystem for signing/verifying software and is used by projects like Kubernetes and PyPI.
This latest Shai-Hulud attack is more dangerous than the previous TanStack breach. Previously, valid provenance attestations required hijacking the legitimate CI/CD pipeline. The attacker needed the real workflow to run, which is a significant effort. Now the malware generates Sigstore attestations directly from stolen OIDC tokens, without the pipeline at all. This is an attack on the root of supply chain security. Provenance verification no longer tells you what you think it tells you.
Unfortunately, short-lived OIDC tokens don’t solve everything. The real gap here is that “this package was built by the expected pipeline” became conflated with “this package is trustworthy.” Closing that gap requires things like:
- Verifying the build configuration hasn’t changed (not just that the build ran)
- Checking commit signatures and authorship against expected maintainers
- Detecting orphan commits from deleted forks
- Pre-install script sandboxing
- Consumer-side policy that doesn’t treat supply chain frameworks like SLSA as ground truth without considering the entire picture”
This example shows you just how important “trust but verify” is. That sort of thing worked for Ronald Regan. It should work for you as well.
Related
This entry was posted on May 19, 2026 at 2:01 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New Shai-Hulud malware wave compromises 600 npm packages
Threat actors earlier today published more than 600 malicious packages to the npm index as part of a new Shai-Hulud supply-chain campaign. Most of the affected packages are in the @antv ecosystem, which includes libraries for charting, graph visualization, building flowcharts, and mapping.
Commenting on this news is Dan Moore, Sr. Director, CIAM Strategy & Identity Standards at FusionAuth:
“In the OIDC/OAuth security model, tokens are short-lived by design. OIDC assumes you authenticate for a specific operation and the token expires in a timely fashion. That’s what’s supposed to happen but in practice many CI/CD pipelines and services don’t yet use these.
What is scary about this attack is that OIDC tokens were abused and used to submit artifacts to Fulcio and Reko, core components of the Sigstore project. The Sigstore project is an ecosystem for signing/verifying software and is used by projects like Kubernetes and PyPI.
This latest Shai-Hulud attack is more dangerous than the previous TanStack breach. Previously, valid provenance attestations required hijacking the legitimate CI/CD pipeline. The attacker needed the real workflow to run, which is a significant effort. Now the malware generates Sigstore attestations directly from stolen OIDC tokens, without the pipeline at all. This is an attack on the root of supply chain security. Provenance verification no longer tells you what you think it tells you.
Unfortunately, short-lived OIDC tokens don’t solve everything. The real gap here is that “this package was built by the expected pipeline” became conflated with “this package is trustworthy.” Closing that gap requires things like:
This example shows you just how important “trust but verify” is. That sort of thing worked for Ronald Regan. It should work for you as well.
Share this:
Like this:
Related
This entry was posted on May 19, 2026 at 2:01 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.