Shai-Hulud Is Now Generating Valid Sigstore Provenance Badges for Its Malicious npm Packages
Mini Shai-Hulud pushed ~42 malicious packages through a compromised @antv maintainer account on May 19 with valid Sigstore Fulcio certificates and Rekor entries. The green "verified" badge defenders have been trusting now sits on malicious code.
At approximately 01:56 UTC on May 19, 2026, threat actors operating Mini Shai-Hulud pushed roughly 42 malicious packages through a compromised maintainer account in the @antv ecosystem — and minted valid Sigstore provenance badges for each one by calling Fulcio and Rekor at runtime. The green 'verified' badge that defenders have been telling developers to trust now sits on malicious code. This is a structural failure of the npm supply-chain trust model.
PALO ALTO, CALIFORNIA — At approximately 01:56 UTC on May 19, 2026, threat actors operating the Mini Shai-Hulud worm began a coordinated one-hour campaign that pushed roughly 42 malicious packages through a compromised maintainer account in the @antv ecosystem — npm's widely-used charting, graph visualization, and mapping library family. Researchers from Endor Labs, Akamai, Aikido, Mend, Picus Security, Wiz, and others confirmed the wave within hours. Broader reporting (BleepingComputer, Cybernews) cites cumulative counts of approximately 600+ versions when including prior-wave compromises. The novel TTP, first surfaced by Endor Labs, is the campaign's abuse of Sigstore's Fulcio (certificate authority) and Rekor (transparency log) at runtime: the worm submits valid Sigstore signing certificates and transparency-log entries for every malicious package version it propagates, meaning provenance-verification tooling on developer machines displays a green 'verified' badge even though the build chain is entirely the attacker's. The payload steals GitHub, npm, cloud, Kubernetes, HashiCorp Vault, Docker, database, and SSH credentials from developer workstations and CI/CD environments. Session P2P is used as a fallback exfiltration channel. The supply-chain security community has spent two years promoting Sigstore badges as the answer to npm trust attacks. The May 19 wave defeats that trust signal at the technical level.
What Happened
The Sigstore Provenance Abuse
Endor Labs's research is the canonical disclosure on the novel TTP. Sigstore is the trust-chain infrastructure the supply-chain security community has spent two years promoting as the answer to npm package-poisoning attacks: Fulcio issues short-lived signing certificates tied to a verified identity, and Rekor records every signing event in a public transparency log. The Mini Shai-Hulud worm calls both at runtime. For each malicious package version it propagates, the worm requests a Fulcio certificate, submits a Rekor entry, and ships the package with a valid provenance attestation. Provenance-verification tooling on developer machines — npm's own attestation viewer, cosign, sigstore-go — displays the green 'verified' badge. The badge is structurally valid; the build chain it attests to is entirely the attacker's.
The AntV Wave Mechanics
The compromised maintainer account in the @antv ecosystem published roughly 42 malicious package versions in a one-hour window starting at 01:56 UTC on May 19, 2026. @antv is a charting, graph visualization, flowcharts, and mapping library family with significant install counts across the JavaScript ecosystem. Researchers do not yet have public confirmation of how the AntV maintainer's credentials were compromised; the worm's self-propagation primitive — stolen npm tokens, enumerate maintainable packages, inject payload, bump version, republish under legitimate maintainer identity — continues the pattern TeamPCP established and open-sourced earlier in the cycle. Cumulative cross-wave package counts cited by BleepingComputer (~600+ versions) and The Register (~314 packages) include prior-wave compromises and are not contradictory to the 42-package AntV figure.
The Payload and Exfiltration
Mend's technical analysis documents a heavily-obfuscated index.js payload that steals GitHub tokens, npm tokens, cloud credentials, Kubernetes config, HashiCorp Vault secrets, Docker credentials, database credentials, and SSH keys. The primary targets are developer workstations and CI/CD runner environments. The novel exfiltration channel is Session — the privacy-focused peer-to-peer messaging protocol — used as fallback when GitHub-based exfiltration is unavailable. When GitHub tokens are present, the worm creates dead-drop repositories under the victim's account and publishes stolen data there. The combined exfiltration pattern is harder to detect than centralized C2 — Session traffic appears as ordinary P2P traffic, and GitHub dead-drops appear as ordinary developer activity.
Scope and Impact
The Mini Shai-Hulud cluster has now demonstrated four distinct evolutionary stages in nine days. The original Mini Shai-Hulud TanStack wave hit TanStack, Mistral AI, UiPath, and Guardrails AI on May 11 with valid SLSA Build Level 3 provenance — the first npm worm to ship malicious packages with attested provenance. The OpenAI code-signing certificate rotation confirmed downstream impact at the AI-lab tier. The TeamPCP $25K Mistral source-code auction demonstrated the source-code-extortion monetization layer. The Mini Shai-Hulud copycat clones wave showed the source-code commoditization within seven days. The May 19 AntV wave adds the fourth — Sigstore-provenance-bypass at runtime. The cadence is accelerating, not stabilizing.
The Sigstore-bypass is the most consequential trust-model failure in the npm ecosystem to date. The OpenSSF, Linux Foundation, Google, and Chainguard have spent two years building Sigstore as the canonical answer to package-trust attacks. The May 19 wave does not break Sigstore's cryptography — Fulcio's certificates and Rekor's log entries are valid as signed. What it breaks is the interpretation of those signatures as proof of trustworthiness. Signed provenance proves where a package was built, by which workflow, and with what inputs — but it does not prove the workflow itself was uncompromised at build time. When the OIDC token used to request signing certificates is stolen from a poisoned maintainer account, every downstream signature is structurally valid and substantively malicious.
Response and Attribution
For DevSecOps and platform-engineering teams: treat Sigstore provenance badges as advisory only, not authoritative. Block @antv ecosystem packages and timeago.js at registry proxies until your security team verifies clean versions; use lockfiles to pin to known-good versions published before 01:56 UTC May 19. Rotate every developer and CI-context credential — GitHub, npm, cloud, Kubernetes, Vault, Docker, database, SSH — if these packages appear in any lockfile across your fleet. Enable real-time package-scanning tools (Snyk, Socket, Phylum, GitGuardian, StepSecurity) on every npm install call in blocking mode. Hunt for outbound Session P2P traffic from developer workstations and CI runners; add Session protocol signatures to egress monitoring.
The npm-ecosystem stakeholder layer is where the policy intervention has to land. Push npm Inc. for mandatory hardware-key MFA for maintainers of packages with greater than 1M weekly downloads. Push for rate limiting on new package versions per account per hour. Push the OpenSSF and Linux Foundation for a Sigstore response architecture — maintainer-identity proofing at the Fulcio CA level (currently relies on email/OAuth, easily abused by a compromised account), build-environment attestation, and post-publication anomaly detection. The pattern is the same one The CyberSignal has tracked across the PCPJack tradecraft and the broader npm-maintainer-account compromise cluster: package-registry security baselines are now Critical Infrastructure adjacent, and the regulator engagement layer (CISA, ENISA, NIST) has direct levers.
The CyberSignal Analysis
Signal 01 — The Sigstore Provenance-Badge Trust Signal Has Been Defeated at the Technical Level
Two years of supply-chain security advocacy has told developers to trust the green Sigstore badge. The May 19 AntV wave makes that guidance materially wrong for high-impact packages. Defenders need to layer provenance verification with additional controls: maintainer-account identity confirmation, build-environment attestation, source-code review for high-impact dependencies, and post-publication anomaly detection. SLSA provenance is necessary but not sufficient. Update internal trust-architecture documentation to reflect the new posture; this is the most significant supply-chain trust-model change of the 2026 cycle so far.
Signal 02 — Single-Maintainer-Account Compromise Is the npm Crown-Jewel Risk
A single compromised maintainer account produced 42 malicious versions in one hour. The pattern recurs across the spring 2026 cycle — the original Mini Shai-Hulud TanStack/Mistral wave and the copycat clones wave both rode single-account compromises into ecosystem-scale impact. npm-maintainer-account security is now a Tier 1 supply-chain risk. CISOs should engage npm Inc. directly on mandatory hardware-key MFA for high-impact maintainers; if your organization sponsors packages with greater than 1M weekly downloads, push for the policy at the registry level.
Signal 03 — Session P2P Exfiltration Is the New Egress-Monitoring Hunt Category
The use of Session — the privacy-focused P2P messaging protocol — as a fallback exfiltration channel is operationally new for npm-worm tradecraft. Session traffic appears as ordinary peer-to-peer traffic; centralized C2 detection does not apply. SOC and threat-hunting teams should add Session protocol signatures to egress monitoring across developer workstations and CI/CD runners. Expect more Session-and-similar P2P exfiltration channels in npm-worm payloads through 2026.
