Valid certificates, stolen accounts: how attackers broke npm's last trust signal

Attackers exploited a critical vulnerability in npm's security infrastructure by compromising maintainer accounts and using valid Sigstore certificates to distribute 633 malicious package versions on May 19. The packages passed Sigstore provenance verification because the system confirmed legitimate certificates and CI environment builds, but could not detect whether the account holder authorized the publication.

Sigstore, designed to verify package authenticity, functioned as intended by validating certificates and recording transactions in transparency logs. The gap between technical verification and authorization intent became the attack surface. Compromised credentials meant attackers could generate valid signatures without triggering alerts, transforming npm's last automated trust signal into cover for malicious activity.

StepSecurity identified the breach one day prior, flagging account takeover patterns. The incident reveals a fundamental flaw in npm's security model: technical verification alone cannot prevent unauthorized package publishing when credentials are stolen. The attacker exploited the AntV ecosystem, a popular visualization library, affecting downstream projects that depend on these packages.

This attack demonstrates that even cryptographic verification has limits. Sigstore cannot distinguish between legitimate and fraudulent use of valid credentials. npm's dependency on account security creates a single point of failure that no signature system can fully mitigate. The 633 compromised versions showed that scale matters less than sophistication when trust mechanisms can be legitimately abused.

The ecosystem now faces a broader trust crisis. Developers relying on npm's signing badges cannot determine whether those signatures represent authentic maintainers or compromised accounts. The vulnerability suggests npm needs additional layers beyond cryptographic verification, such as stronger authentication requirements, behavioral anomaly detection, and faster incident response mechanisms.

This incident will likely reshape how the JavaScript community approaches supply chain security. It exposes the limits of current verification methods and demands rethinking of how npm validates not just packages, but the humans controlling publish permissions.