npm Attacks: How Hackers Bypass Package Authenticity Checks

On the night of May 19, attackers published 633 malicious package versions in the npm registry, successfully passing Sigstore authenticity verification. The attack was made possible by compromising a maintainer's account, enabling the generation of valid signing certificates for the packages. While Sigstore correctly confirmed that the packages were built in a CI environment, it failed to distinguish whether the publisher was the legitimate developer or a threat actor using stolen credentials.

Simultaneously, an attack targeted the popular Nx Console extension for VS Code, installed over 2.2 million times. Within 40 minutes of the malicious version being available, it automatically updated on 6,000 users' systems. The malicious code harvested configurations from Claude Code, AWS tokens, GitHub and npm tokens, 1Password vault contents, and Kubernetes credentials. Researchers attribute the campaign to the financially motivated group TeamPCP, operating under the alias Mini Shai-Hulud.

Experts from Endor Labs, Socket, StepSecurity, and others identified seven key vulnerabilities exploited in the attacks: npm package origin spoofing, VS Code extension credential theft, automatic execution of MCP servers, injections into CI/CD agents, code execution in agent frameworks, data leaks from IDEs, and uncontrolled use of AI services by employees. AI-powered coding tools like Claude Code and GitHub Copilot pose particular risks, as they automatically execute code without additional checks.

Analysts report a surge in hacker group activity targeting developer credential theft. According to CrowdStrike's report, the STARDUST CHOLLIMA group tripled its attacks on financial organizations in late 2025, using phishing campaigns with fake technical assignments and synthetic video call environments. Primary targets include GitHub tokens, npm keys, AWS secrets, and CI/CD credentials.

To mitigate risks, experts recommend implementing two-factor authentication for publishing high-impact packages, restricting AI tool usage in corporate environments, and auditing all IDE extensions with terminal or file system access. Special attention should be given to CI/CD pipelines, where AI agents may process malicious instructions from pull request comments.