Valid certificates, stolen accounts: how attackers broke npm’s last trust signal
via endorlabs.com
Short excerpt below. Read at the original source.
On May 19, 633 malicious npm package versions passed Sigstore provenance verification. They were cleared by the system because the attacker had generated valid signing certificates from a compromised maintainer account. Sigstore worked exactly as designed: it verified the package was built in a CI environment, confirmed a valid certificate was issued, and recorded everything […]