npm Supply Chain Attack: How Stolen Accounts and Valid Certificates Broke npm’s Final Trust Barrier

For years, JavaScript developers operated under a quiet assumption: if a package came from the official npm registry, carried a valid provenance attestation, and hadn’t triggered any audit warnings, it was probably safe. That assumption died on May 19, 2026.

On a Monday morning that will be remembered in infosec circles for years, a threat actor tracked as TeamPCP launched a devastating npm supply chain attack that compromised two long-trusted npm maintainer accounts — atool and prop — and published over 630 malicious package versions across more than 320 unique packages in under 30 minutes. The packages weren’t obscure experiments buried in the long tail of the registry. Many belonged to the @antv ecosystem, Alibaba’s widely-used data visualization libraries, with downstream impact cascading into popular packages like echarts-for-react, which clocks over a million weekly downloads.

What made this attack unprecedented wasn’t the scale, though the numbers are staggering. It wasn’t even the speed, though the entire campaign unfolded in two automated waves spanning just 27 minutes. The truly chilling part was this: every single malicious package passed npm’s most rigorous trust checks. They had valid Sigstore provenance attestations. They were signed with legitimate certificates. They were published from accounts with years of benign history. In other words, every automated signal that modern developers rely on to distinguish legitimate code from malware told a comforting lie.

The blast radius extends far beyond individual node_modules folders. Microsoft’s Security Response Center confirmed active CI/CD credential theft. Independent researchers at Phoenix Security identified over 2,500 compromised GitHub repositories. SlowMist’s threat intelligence division tracked memory-scraping behavior and self-propagation mechanisms that could keep this worm alive long after the initial takedown. If you build or deploy JavaScript applications, this npm supply chain attack concerns you directly.

Let’s peel back exactly how this npm supply chain attack happened, why every existing defense failed, and what you should be doing about it today.

How the npm Supply Chain Attack Worked: A Two-Part Bypass

This wasn’t a smash-and-grab operation. The TeamPCP campaign demonstrated a surgical understanding of npm’s trust architecture, exploiting a gap that sits uncomfortably between identity verification and authorization.

Phase 1: Account Takeover via Stolen Maintainer Credentials

The entry point was deceptively simple. The attackers compromised the npm accounts atool and prop — legitimate maintainers with established publishing histories. The atool account alone maintained 547 packages, many within the @antv namespace. Phoenix Security’s analysis suggests the compromise likely involved credential theft, possibly via reused passwords exposed in prior breaches, social engineering, or session hijacking of long-lived authentication tokens.

Here’s the crucial detail: these weren’t freshly registered accounts or obvious typosquats. They were trusted identities with years of benign commits, established GitHub profiles, and legitimate publishing patterns. To npm’s automated systems, they looked exactly like what they technically were: authorized maintainers. This stealthy first phase is what made the overall attack so difficult to detect in real time.

Phase 2: Publishing Malicious Updates with Valid Certificates

With maintainer access secured, the attackers didn’t just dump unverified code into the registry. They did something far more insidious: they published packages that carried valid SLSA Build Level 3 provenance attestations through npm’s Sigstore integration.

For context, npm introduced provenance attestations to give developers cryptographic proof that a package was built from a specific source repository in a specific CI/CD environment. When you run npm audit or inspect a package’s provenance badge, you’re essentially checking: Was this built from the claimed source code in a transparent environment?

Sigstore worked exactly as designed. It verified the packages were built in a CI environment, confirmed valid certificates were issued, and recorded everything in the transparency log. But provenance attestation answers a different question than the one developers actually need answered. It tells you how the package was built, not who authorized the build or what the build contained. As the Cloud Security Alliance‘s research note dryly observed, the signatures were mathematically perfect and operationally meaningless.

The result? Every automated check passed. The account was legitimate. The certificate was valid. The provenance was intact. The malware sailed through. This is the hallmark of a mature supply chain attack: leveraging the registry’s own trust mechanisms against it.

Why Existing npm Defenses Failed This Time

The JavaScript ecosystem has spent the last several years building defensive layers around npm. Two-factor authentication became mandatory for high-impact maintainers. Audit logs improved. Sigstore provenance rolled out with genuine fanfare. This npm supply chain attack didn’t break those defenses; it bypassed them by satisfying every requirement perfectly.

The Provenance Paradox

Provenance attestations are built on the assumption that compromising the build pipeline is the primary threat model. If an attacker injects malicious code into a GitHub repository and it gets built automatically, provenance will faithfully record that build. It never claimed to detect whether the code itself was malicious — but in practice, developers treat provenance as a proxy for safety.

The @antv compromise exposed this semantic gap in the harshest possible terms. The packages were built from repositories the attackers controlled (post-compromise), signed with certificates they legitimately acquired through the compromised account’s OIDC bindings, and deposited into the transparency log as perfectly ordinary events.

The Insider Threat Problem in Open-Source Registries

Open-source registries operate on a fundamental trust model that assumes maintainers are who they say they are, and that their intentions align with the community’s. This model works wonderfully until it doesn’t. The traditional security framing distinguishes between “external attackers” and “insider threats,” but in open source, a compromised maintainer account effectively converts an external attacker into an instant insider.

npm’s automated defenses are designed to detect anomalies: new accounts publishing popular package names, suspicious version bumps, typosquats imitating trusted libraries. TeamPCP didn’t trigger any of these. They used established accounts, published to packages those accounts already maintained, and versioned their releases according to established semver patterns. From npm’s perspective, this looked like an unusually productive Monday morning, not an active supply chain attack.

For additional hardening strategies that stop insider-threat scenarios in CI/CD pipelines, see our earlier analysis of the PyTorch Lightning supply chain compromise.

What Packages Were Affected and How to Check

The scope of this npm supply chain attack is genuinely staggering. Socket’s independent analysis identified 639 compromised versions across 323 unique packages, while SlowMist’s MistEye monitoring system tracked 637 malicious versions covering 317 package names published in just 22 minutes. Microsoft confirmed active exploitation targeting the @antv visualization ecosystem with cascading downstream effects.

Known Compromised Namespaces and Packages

The primary impact concentrated in:

• @antv/* — Alibaba’s AntV data visualization libraries, including @antv/g2, @antv/g6, and related packages
• @lint-md/* — Markdown linting utilities
• @openclaw-cn/* and @starmind/* — Additional namespaces associated with the prop account
• Standalone libraries — Various JavaScript utilities maintained by the atool account

Auditing Your Dependencies

If you manage a JavaScript or Node.js project, you should audit your dependency tree immediately. Here’s how:

Check your lockfile for known malicious version ranges:

1
2
3
4
5

# Search for @antv packages installed after May 18, 2026
grep -E "@antv/" package-lock.json | head -20

# Look for suspicious version bumps published around May 19
cat package-lock.json | jq '.. | objects | select(.version? | strings | test("^5\\.19\\."))'

Inspect installed package contents for obvious indicators:

1
2
3
4
5

# Search for recently modified files in node_modules
find node_modules -type f -name "*.js" -newermt "2026-05-18" -exec ls -lh {} \;

# Look for obfuscated eval patterns or network requests
grep -r "eval(atob\|fetch(.*http\|https\.request" node_modules/@antv --include="*.js" 2>/dev/null

Use automated scanning tools:

• npm audit — Catches known vulnerabilities, though it won’t catch novel supply-chain malware immediately
• Socket.dev — Offers deeper behavioral analysis of package changes
• Snyk — Monitor for license and security issues across your dependency tree
• Phoenix Security / Endor Labs — Enterprise-grade supply-chain monitoring with IoC feeds

If you discover any packages from the affected namespaces installed in your environment, treat the surrounding infrastructure as potentially compromised. Microsoft’s analysis confirmed memory scraping and CI/CD credential exfiltration, meaning a poisoned dependency might have harvested your cloud provider tokens, GitHub PATs, or database credentials.

npm’s Official Response and What Changed

The response to this npm supply chain attack unfolded rapidly across multiple organizations, reflecting its severity and cross-organizational impact. For a look at how similar memory-scraping malware operates in other ecosystems, see our analysis of the BitLocker backdoor exploit.

Registry-Level Countermeasures

GitHub (which operates npm) moved quickly to revoke the compromised accounts’ publishing access and pull the identified malicious versions from the registry. However, npm’s distributed nature means that removed versions remain accessible through mirrors, local caches, and private registries that had already synced the packages. The registry also initiated certificate review and OIDC binding audits for high-volume maintainer accounts associated with the affected namespaces.

Microsoft’s Security Response Center published a detailed analysis on May 20, confirming the CI/CD credential theft vector and identifying the self-propagation mechanisms that allowed the worm to maintain persistence. The Cloud Security Alliance followed with research notes documenting how SLSA Build Level 3 provenance was subverted, a particularly uncomfortable revelation for an industry that had begun treating provenance as a gold standard.

Disclosure Timeline

• May 19, 2026, ~02:00 UTC — Initial wave of malicious packages published by atool account
• May 19, 2026, ~02:27 UTC — Second wave completes; 318 packages poisoned
• May 19, 2026, Morning UTC — Independent security researchers (Socket, SlowMist) detect anomalous publishing patterns
• May 20, 2026 — Microsoft Security blog publishes detailed threat intelligence
• May 20–21, 2026 — npm/Github confirms account revocation and ongoing investigation

Notably, the entire disclosure-to-patch window for the initial wave was measured in hours, not days — an improvement over previous supply-chain incidents. But the speed of the attack (27 minutes from first to last publish) means that even a rapid response couldn’t prevent millions of downloads during the exposure window.

Actionable Defense: What Developers Should Do Today

This npm supply chain attack doesn’t have a single-point solution. Defending against privileged-account compromise with valid certificates requires layered, cultural, and technical changes.

Pin Dependencies and Verify Checksums

Stop accepting floating versions in production. A package.json full of ^ and ~ ranges is an open invitation to automatically install whatever the registry serves next.

1
2
3
4
5
6

{
  "dependencies": {
    "@antv/g2": "5.1.2",
    "echarts-for-react": "3.0.2"
  }
}

Use npm ci instead of npm install in CI/CD pipelines to enforce lockfile integrity. Verify lockfile checksums (npm audit signatures) when available.

Adopt Automated Dependency Scanning in CI/CD

Provenance checking alone is insufficient. Integrate behavioral analysis tools into your pipeline:

1
2
3
4
5

# Example GitHub Actions step
- name: Dependency security scan
  uses: socket-security/socket-action@v1
  with:
    api-key: ${{ secrets.SOCKET_API_KEY }}

Require human review for any dependency update that:

• Modifies more than 10 files in node_modules
• Adds network-request capabilities to previously offline packages
• Introduces binary/native dependencies where none existed before

Lock Down Publishing Infrastructure

If you maintain npm packages:

• Enable 2FA on both npm and GitHub (this is now mandatory for many but worth verifying)
• Use npm’s OIDC trusted publishing instead of long-lived tokens where possible
• Review your GitHub Actions workflows for pull_request_target misconfigurations (a related vector used in the May 11 TanStack compromise)
• Set up branch protection requiring code review for any release-triggering changes

Monitor Maintainer Behavior

Organizations consuming open-source should track behavioral signals:

• Sudden large changes from historically quiet maintainers
• New publish keys or OIDC bindings on established packages
• Version bumps that skip changelog entries or lack tagged releases

Tools like OpenSSF Scorecard can help automate this monitoring, though they won’t catch everything.

Consider Registry Proxies with Caching Policies

For large organizations, a private registry proxy with immutable caching policies provides a critical buffer. If you cache every dependency at install time and require explicit review to update cached versions, you eliminate the window where a compromised upstream package can reach your build farm instantly.

For related reading on how AI coding assistants can themselves become supply-chain vectors, see our coverage of the TrapDoor attack on npm packages.

Conclusion: Rebuilding Trust in the Open-Source Supply Chain

The Mini Shai-Hulud campaign, as researchers have dubbed it, marks an inflection point in how we think about software supply-chain security. For years, the community chased better signatures, stronger provenance, and more rigorous CI/CD isolation. Those investments were worthwhile, but this attack proves they are insufficient against the threat model of a compromised insider with legitimate credentials.

The broader lesson is uncomfortable: implicit trust in registries is no longer viable. We treated provenance attestations, valid certificates, and established maintainer accounts as proxies for safety, and all three failed simultaneously under conditions that weren’t even particularly exotic.

Rebuilding trust will require changes at every level. Registry operators need registry-level anomaly detection that flags behavioral shifts rather than just signature mismatches. Package maintainers need mandatory code-review for publishes, even from repository owners. And developers need to internalize a mindset where npm install is treated as executing arbitrary code from the internet — because, as May 19 demonstrated, that’s exactly what it is.

Final Hardening Checklist

• [ ] Audit your lockfile for @antv, @lint-md, @openclaw-cn, and @starmind packages
• [ ] Pin exact dependency versions in production package.json files
• [ ] Replace npm install with npm ci in all CI/CD pipelines
• [ ] Enable 2FA on npm, GitHub, and any related publishing accounts
• [ ] Review GitHub Actions workflows for pull_request_target and cache-poisoning risks
• [ ] Integrate behavioral dependency scanning (Socket, Snyk, or equivalent)
• [ ] Consider a private registry proxy with explicit version-approval workflows
• [ ] Rotate any CI/CD or cloud credentials that may have been exposed since mid-May 2026

The next major supply chain attack is already being planned somewhere. The question is whether we’ll have rebuilt our defenses in time to stop it.

References and further reading

• npm official documentation — npm audit
• Socket.dev
• Snyk
• Phoenix Security
• Endor Labs
• npm — OIDC trusted publishing
• Sigstore
• OpenSSF Scorecard
• GitHub
• Microsoft Security Response Center
• Cloud Security Alliance

Explore the broader series on securing open-source dependencies and registry trust in our coverage of the vibe coding security crisis.

• ← Previous Post
• Next Post →