Matthew Aberham

The Developer Toolchain Is Now the Primary Attack Surface

SecuritySupply ChainDeveloper Tools

Rust-covered chain and padlock

May 24, 2026 | Sources: OX Security, StepSecurity, Hudson Rock analysis, npm v11.10.0 release notes

Security disclosure: Four coordinated supply chain attacks exploiting IDE extensions, CI caches, and agent plugin trust relationships within a two-week window.

Between May 11 and May 24, four distinct attack campaigns hit the developer tooling layer simultaneously: IDE extensions, CI caches, agent plugins, and the trust relationships between them.

Shai-Hulud (May 12-19) propagated across 170+ npm packages with 518M cumulative downloads, exploiting GitHub Actions OIDC (OpenID Connect) tokens extracted from runner process memory to mint publish tokens. It installed persistence hooks in Claude Code and VS Code configurations. CVE-2026-45321, CVSS (Common Vulnerability Scoring System) 9.6. The Nx Console breach (May 20) compromised a VS Code extension for monorepo tooling, leading to exfiltration of 3,800 GitHub internal repositories. GitHub was breached through its own extension marketplace. Megalodon (May 22) poisoned 5,561 repositories via throwaway accounts with forged CI bot identities, harvesting AWS/GCP/Azure credentials, SSH keys, and .env files from malicious GitHub Actions workflows. Hudson Rock, a cybercrime intelligence firm, found that 33% of affected usernames matched machines with prior infostealer infections. Grafana (May 20) discovered it had missed one workflow token during its Shai-Hulud remediation; attackers used it to download private source code and business information.

The Attack Chain

npm audit, lockfiles, Snyk scans, SLSA attestations: a decade of investment in securing package registries. Those defenses still matter, but the attack surface moved underneath them. An infostealer compromises a developer machine, yielding GitHub credentials. Those credentials create malicious workflows. The workflows harvest CI/CD secrets and OIDC tokens. The tokens mint publish credentials. More packages get poisoned. The malware installs persistence in coding agents and IDE extensions, which survive package removal entirely.

Each link in that chain targets a trust relationship between developer tools. A third of Megalodon's victims already had infostealer infections on their machines, meaning the same machines were hit twice through different vectors. The Nx Console breach demonstrated that marketplace extensions are a viable lateral movement path into internal repositories. Grafana rotated every token during remediation except one; attackers used that single surviving credential to download private source code.

npm responded on May 23 by requiring "Proof of Presence" two-factor authentication on all package publishes. Previously, a long-lived token was sufficient; no human confirmation was required. Every automated CI/CD publish pipeline that uses npm tokens now needs to be rearchitected. That is the correct response, and it will be painful.

Why This Matters for Developers

These four campaigns exploit the same structural weakness: developer tooling components trust each other implicitly, and compromising any one grants lateral movement to the rest.

Audit your IDE extensions. The Nx Console breach demonstrated that marketplace extensions are a viable entry point for exfiltrating internal repositories. Review installed extensions against actual need; remove anything you are not actively using.

Check for agent persistence hooks. Shai-Hulud plants SessionStart hooks in .claude/settings.json and modifies VS Code settings. These survive npm audit, git clean, and dependency removal. Inspect those files manually.

Treat CI/CD token rotation as incomplete until verified. Enumerate every token your workflows use, including the ones generated by OIDC exchanges during builds, and confirm each one is invalidated.

Prepare for npm's Proof of Presence requirement. If your team publishes packages from CI/CD, your publish pipeline is about to break. Audit which packages you publish, how they authenticate, and what the new flow will require.

Assume infostealer-to-supply-chain is a standard attack path now. If a developer machine is compromised by an infostealer, treat every credential on that machine as a potential entry point into your CI/CD infrastructure and downstream packages.

The next question is whether GitHub's extension marketplace and Actions ecosystem get the same treatment npm just applied. If Proof of Presence becomes the norm across registries and marketplaces, every team's automated publishing infrastructure needs to be redesigned around human-in-the-loop approval for irreversible operations.

Read More

Your Security Scanner Got Hacked: The TeamPCP Supply Chain Attack

A single threat actor compromised Trivy, Checkmarx, and LiteLLM in one week. Two of the three targets were security scanners. Here's what happened and what to do about it.

SecurityDeveloper Tools

AI-Generated Code Pins Vulnerable Dependencies 55% of the Time

LLMs default to library versions that appeared most in training data. Those versions carry known CVEs up to 55.7% of the time, and the bias is structural.

SecurityAI

The Shai-Hulud Worm Is Now Open Source, and npm's Security Model Has No Good Answer

A supply chain worm hit 172 packages with 518M downloads, then its creators open-sourced the code. The npm trust model is structurally unprepared.

SecuritySupply Chain