In 2026, the trust mechanisms we built to protect the software supply chain — SLSA provenance, code signing, CI/CD — became the attack vectors. At Tech86, we watched this inversion unfold in real time: every new security pattern the industry adopted was absorbed as attack surface. The result was a chain of compromises that within weeks hit OpenAI, Mistral AI, Grafana Labs, Microsoft, and GitHub itself.
The year provenance fooled everyone
On May 11, 2026, Mini Shai-Hulud published 84 malicious versions across 42 @tanstack/* packages in 6 minutes. All with valid digital signatures. All with SLSA Build Level 3 provenance. CVE-2026-45321 received CVSS 9.6 — and the most alarming part is that the trust infrastructure worked exactly as designed.
The attacker chained three known vulnerabilities: a pull_request_target that executed external fork code with access to the base repository's CI, cross-boundary cache poisoning that contaminated the pnpm store under the exact key the release workflow would use, and OIDC token extraction from runner memory via /proc/PID/mem dump. The official publish step never ran — the malicious publication had already happened using the legitimate token.
Sigstore, Fulcio CA, and Rekor log confirmed everything. The SLSA attestation correctly records that the package was published by release.yml@refs/heads/main in TanStack/router. What it does not encode is which workflow step ran npm publish. Provenance is not security. It is provenance. The package came from where it claims, but what was inside was malware.
The chain nobody saw forming
TanStack was not an isolated incident. It was ground zero. Within hours, the worm self-propagated to 170+ packages across 19 namespaces including Mistral AI SDK, UiPath, OpenSearch, and Guardrails AI. Using credentials stolen from an Nx Console maintainer, TeamPCP published version 18.95.0 of the Nx Console extension on the VS Code Marketplace. Exposure window: 18 minutes. Official downloads: 28.
One of the devs with auto-update enabled worked at GitHub. Using the stolen tokens, the attacker enumerated and cloned 3,800 internal repositories. Proprietary code. Deploy scripts. Infrastructure configs. Internal API schemas. GitHub confirmed: "The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation." The data was listed on the Breached forum for 50K, then 95K with a supposed Lapsus$ partnership.
The same chain took down Grafana. They rotated tokens en masse but missed one. Their CISO confirmed: "A missed token led to the attackers gaining access to our GitHub repositories." Private codebase stolen. Ransom demanded. Grafana refused, citing FBI. Microsoft was hit the same day — durabletask, an official SDK with 417K monthly downloads. Nine days, five top-tier companies, one chain.
When the tools that read code become the attack
The attack surface shifted fundamentally. It is no longer just the code. It is the tools that read the code. The 2026 malware writes persistence in two places: .claude/settings.json via Claude Code's SessionStart hook, and .vscode/tasks.json via the folderOpen directive. Every time a developer opens the repository, the malware executes. No prompt. No approval.
Commits are authored as [email protected] with the message "chore: update dependencies" — indistinguishable from normal AI activity. Uninstalling the module does not remove the malware. It persists in IDE and AI agent configurations. Anyone who clones the repository inherits the infection. In the Nx Console case, the attacker installed gh-token-monitor via systemd/launchctl that monitors the token every 60 seconds. If it detects revocation, it triggers recursive file deletion. Remediation order matters: remove persistence BEFORE revoking tokens. Reversing the order is catastrophic.
The worm self-propagates across ecosystems. NPM token with publish permission? The malware enumerates the victim's packages, injects the payload, republishes with an incremented version. PyPI credentials in the environment? It jumps to Python. This is the first documented worm that crosses from NPM to PyPI. On CI runners, it reads /proc/
The attack that never touches source code
On May 22, Laravel Lang — a localization package with 7,800 stars — had all 502 of its tags rewritten to point to commits in attacker-controlled forks. ~700 poisoned versions. The code executed on every PHP request without anyone noticing. Root cause: a PAT from an organization member, likely from the GitHub leak — the same incident that exposed 3,800 internal repos via Nx Console.
The technique is elegant and hard to detect. The attacker never modified the official source code. No commits to the legitimate repository. They exploited a GitHub feature: tags can point to commits in forks, and Packagist resolves these tags as legitimate releases. composer install downloaded code from the fork. It looked legitimate. It was not.
The payload uses Composer's autoload.files — every file in this list runs on every PHP request. Commands, workers, queues, cron — everything executes helpers.php. The C2 domain is constructed at runtime via array_map('chr', [...]) to evade static scanners. The stealer has ~5,900 lines of PHP, 15 modules, and is cross-platform. It steals cloud keys via metadata 169.254.169.254, Kubernetes kubeconfig, Vault tokens, SSH keys, .env files, docker-compose.yml, secrets.yaml, browser data, password managers, crypto wallets. On Windows, DebugChromium.exe steals App-Bound Encryption keys from Chrome/Brave/Edge. Everything encrypted with AES-256 and exfiltrated. Self-deletes afterward.
Pipelines: the new scale target
On May 18, Megalodon compromised 5,561 GitHub repositories with 5,718 malicious commits in 6 hours. No application code was modified. The target was exclusively the CI/CD layer — the workflows that run inside each repo.
Compromised credentials — 33% of usernames found in infostealer logs — to push direct commits via PAT. Forged identities: build-bot, ci-bot, auto-ci with emails like [email protected]. Commit message: "ci: add build optimization step". Content: YAML in .github/workflows/. No PR. Direct push to master.
Two variants. SysDiag: mass execution with trigger on push + pull_request_target, which runs with base repo secrets even when the PR comes from an external fork. Optimize-Build: dormant backdoor that replaces workflows with versions containing workflow_dispatch, activatable via GitHub API. Zero failing builds. Zero suspicious logs. Both request id-token: write — the permission that lets you request OIDC tokens to impersonate identities in AWS, GCP, and Azure without persistent credentials.
The Tiledesk case illustrates the problem: the maintainer published versions 2.18.6–2.18.12 on npm without knowing the repo was compromised. The backdoor was in the CI/CD layer — invisible to code review and scanners that only analyze source code. The attacker never touched the npm account. They compromised the repository. The maintainer published from the poisoned source.
What changes from here
At Tech86, the lesson we take from 2026 is clear: traditional perimeter defense does not reach the supply chain. WAF blocks malicious traffic at the edge, but it does not intercept an npm install that executes code with CI permissions. That is why we combine Perimeter WAF Shielding with pipeline integrity monitoring — because today's attack enters through the pipeline, not through the front door.
SLSA provenance needs to evolve to encode which step executed which action, not just which workflow. CI/CD caches need mandatory segregation between PR jobs and release jobs. OIDC and id-token permissions need explicit restriction per job and per environment. And the industry needs to accept that provenance and security are different problems. As long as we treat origin attestation as a security guarantee, attackers will keep using our own trust infrastructure against us.