Attackers exploit npm trust signals, steal credentials

Malicious npm packages bypassed security checks by using stolen developer credentials, compromising a critical trust signal. Attackers generated valid signing certificates from compromised accounts, allowing malicious code to pass verification. This vulnerability was exploited in attacks targeting widely used developer tools, leading to the theft of sensitive information like AWS keys, GitHub tokens, and 1Password vault contents. Researchers identified seven critical attack surfaces in developer tools that are currently not comprehensively audited by any single vendor, highlighting a significant gap in the security of the AI coding tool ecosystem.