Valid certificates, stolen accounts: how attackers broke npm's last trust signal
Source: Venturebeat
Published:
<p>On May 19, 633 malicious npm package versions passed Sigstore provenance verification . They were cleared by the system because the attacker had generated valid signing certificates from a compromised maintainer account.</p> <p>Sigstore worked exactly as designed: it verified the package was buil