Top 5 · 2026-05-13 · source-backed
The Largest npm Worm of 2026 Carries Valid Supply Chain Attestations. That's the Real Problem.
Story
The supply chain verification system you trust just got bypassed by a worm that carries valid provenance attestations.
On May 11, an attacker group called TeamPCP launched Mini Shai-Hulud, compromising 172 npm and PyPI packages across 403 malicious versions totaling 518 million cumulative downloads. TanStack was among the victims. The 2.3MB obfuscated payload harvested AWS, GCP, Kubernetes, and GitHub credentials from every developer who installed the compromised versions.
The attack chained three GitHub Actions vulnerabilities that, individually, seem manageable. Together, they're devastating. First, pull_request_target misconfiguration let attacker code execute in the context of the target repo. Second, cross-fork cache poisoning let malicious payloads persist in the GitHub Actions cache across the fork-to-base boundary. Third, OIDC token extraction from runner memory gave the attacker credentials needed to publish packages with valid SLSA Build Level 3 attestations.
That last part is what should keep you up at night. SLSA Build Level 3 is supposed to be the gold standard for supply chain integrity. It means the package was built by an authorized CI system with auditable provenance. These compromised packages passed that check because the attacker was running inside the legitimate CI system. The attestations weren't forged. They were genuinely produced by compromised infrastructure.
OpenAI disclosed that two employee devices lacked updated configurations to prevent malware download from the affected packages. They're revoking signing certificates by June 12, after which older macOS OpenAI apps will be blocked.
We solved this problem in package management years ago with lockfiles, signatures, and scanning. But the worm just proved that provenance attestations can be weaponized if the build system itself is the attack vector. npm's OIDC trusted-publisher has no per-publish review gate. Any workflow code path can mint tokens.
Three immediate actions: pin all GitHub Action refs to full commit SHAs (not tags), never run pull_request_target workflows that check out PR code, and treat the GitHub Actions cache as untrusted input. If your CI/CD uses any of the three patterns the worm exploited, you're vulnerable right now.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage
CISA Confirms: Your AI Security Scanner Got Backdoored. Federal Deadline Is April 8.
Both cover AWS, GCP, GitHub Action, GitHub Actions; overlapping topics (action, attack, attacker, chain, code); earlier AWS coverage from 2026-03-28.
The Security Scanner Was the Attack Vector. 10,000 CI/CD Workflows Compromised.
Both cover AWS, GCP, GitHub, GitHub Action; overlapping topics (action, attack, attacker, chain); earlier AWS coverage from 2026-03-27.
North Korea Backdoored Axios. 100 Million Weekly Downloads, 3 Hours of Exposure, and a RAT on Every Platform.
Both cover GitHub, GitHub Actions, OIDC, PyPI; overlapping topics (action, attack, chain, supply); earlier GitHub coverage from 2026-04-02.
Shared entities / Shared topic / What happened next / Tension
Self-replicating "Miasma" malware hit 70+ Microsoft open-source repos, stealing credentials the instant a repo opens in an AI tool.
Both cover GitHub, Hulud, Mini Shai, TeamPCP; overlapping topics (attack, attacker, code); picks up the GitHub thread on 2026-06-09.
Shared entities / Shared topic / Earlier coverage
LiteLLM Got Backdoored. The Attack Vector? Their Own Security Scanner.
Both cover AWS, GCP, Kubernetes, PyPI; overlapping topics (action, attack); earlier AWS coverage from 2026-03-24.
Shared entities / Shared topic / What happened next
Claude Code 2.1.187 ships sandbox credential blocking, the day after WIF.
Both cover GCP, GitHub Actions, Kubernetes, OIDC; overlapping topics (action, attack, code); picks up the GCP thread on 2026-06-24.
Shared entities / Shared topic / Earlier coverage
TeamPCP Goes Multi-Ecosystem: CanisterWorm Hits npm, LAPSUS$ Collaboration Surfaces, and a Bug in the Attacker's Own Code Was the Only Thing That Caught It
Both cover GitHub Actions, PyPI, TeamPCP; overlapping topics (action, attack, attacker, code, compromised); earlier GitHub Actions coverage from 2026-03-25.
Mercor Confirms 4TB Breach via LiteLLM Supply Chain Attack. If You Use LiteLLM, Check Your Versions Now.
Both cover GitHub Actions, PyPI; overlapping topics (action, attack, attacker, chain, check); earlier GitHub Actions coverage from 2026-04-01.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — May 13, 2026
- AI generated
- no
- Story unit
- 2026-05-13-the-largest-npm-worm-of-2026-carries-valid-supply-chain-attestations-that-s-the-real-problem
- Labels
- source-backed, canonical briefing excerpt