July 15, 2026
A Worm Just Forged a Valid Security Attestation.
On June 4, 2026, the UK National Cyber Security Centre published guidance instructing organizations to stop automatically adopting new…

By ActiveState
6 min read
A Worm Just Forged a Valid Security Attestation. Here's What That Means for Your Compliance Program.
On June 4, 2026, the UK National Cyber Security Centre published guidance instructing organizations to stop automatically adopting new dependency versions and to review every update before it enters production. The advice landed weeks after attackers demonstrated exactly why it matters: a worm known as Mini Shai-Hulud hijacked a legitimate continuous integration and continuous delivery pipeline and published malicious code carrying a fully valid SLSA Build Level 3 provenance attestation. The badge your security team was told means "trust this" was sitting on the malicious package. For security leaders who built a governance model around scanning and provenance checks, that is not a footnote. It is the argument.
TL;DR / Key Takeaways
- The UK National Cyber Security Centre's June 4, 2026 guidance tells organizations to review dependency updates manually rather than auto-adopting new versions, following a wave of open source software supply chain attacks.
- The Mini Shai-Hulud campaign, active since late April 2026, produced a malicious npm package with a fully valid SLSA Build Level 3 attestation by hijacking a legitimate build pipeline rather than forging the certificate itself.
- Malicious open source package detections rose 73% year over year in 2025.
- The EU Cyber Resilience Act adds a regulatory clock: 24-hour reporting of actively exploited vulnerabilities starts September 11, 2026, and full provenance and SBOM obligations become mandatory December 11, 2027.
- A passed attestation check tells you a pipeline was not tampered with after the fact. It does not tell you the pipeline was not compromised while it ran. Governance has to move to the point of ingestion, not the point of verification.
What the NCSC Actually Told You to Do
The National Cyber Security Centre's guidance is specific, and it is not a suggestion to buy a new scanner. It asks organizations to review how open source dependencies are introduced and updated, to avoid automatically adopting new dependency versions without review, and to find a working balance between deploying patches quickly and updating dependencies slowly enough to catch a compromise before it spreads. It also calls for deployments to run through controlled CI/CD pipelines rather than developer devices, and for credentials used by developer tooling to be stored securely and rotated immediately if exposure is suspected. The guidance builds on the NCSC's Software Security Code of Practice, which asks vendors to treat every third party open source dependency with the same scrutiny as code they write themselves.
That is a meaningful shift in emphasis. Scanning tells you what is already in your environment. This guidance is about what gets into your environment in the first place, and it is arriving at the same moment attackers proved why the distinction matters.
The Attack That Made the Guidance Necessary
Mini Shai-Hulud is not a single incident. It is a campaign, and the way it built over 8 weeks is the reason to trace it rather than compress it into a single bullet point. The threat group known as TeamPCP launched the first wave on April 22, 2026, in a campaign carrying the internal label Shai-Hulud: The Third Coming, a direct successor to the original Shai-Hulud worm that hit the npm registry in September 2025. A second wave began April 29 under the Mini Shai-Hulud name.
The campaign's defining moment came on May 11, when attackers compromised 84 package artifacts across 42 packages in the widely used TanStack namespace. They hijacked a GitHub Actions runner mid-workflow using stolen OIDC tokens and published through TanStack's own legitimate release pipeline, using its trusted identity. The result was the first documented case of a malicious npm package carrying a fully valid SLSA Build Level 3 provenance attestation, the same standard much of the industry, including ActiveState, points to as evidence a component can be trusted.
The campaign did not stop there. On May 19, a compromised maintainer account was used to publish 637 malicious versions across 317 packages in the AntV data visualization ecosystem, affecting components with a combined 16 million weekly downloads. TeamPCP then open sourced the worm's code on May 12, and copycat campaigns using the released toolkit followed within weeks.
Why a Valid Attestation Didn't Mean What You Thought
This is the part worth sitting with. SLSA provenance is designed to answer one question: was this artifact produced by the build process it claims to have come from. It is a real and useful control. It is also, by design, a statement about the pipeline, not about the intent of whoever had access to that pipeline at the time.
When an attacker steals the credentials that let a legitimate pipeline publish, the pipeline still runs as itself and still signs with the same identity. It still produces an attestation that says, accurately, this came from the pipeline you trust. What the attestation cannot say is whether the pipeline was operating under the control of the maintainer or under the control of someone who had stolen their tokens 20 minutes earlier. That is not a flaw in SLSA. It is a limit on what any point-in-time verification can tell you about a process it does not control.
This is the assumption the Mini Shai-Hulud campaign broke: that a passed check is the same thing as governance. It is not. A check confirms an artifact matches a process. Governance decides which processes, which sources, and which components are trusted to enter your environment before that check ever runs.
Two Regulatory Pressures Pointing at the Same Fix
The NCSC's guidance is voluntary. The EU Cyber Resilience Act is not. Companies selling products with digital elements into the EU market must report actively exploited vulnerabilities to ENISA within 24 hours starting September 11, 2026, and by December 11, 2027, must meet the full set of obligations, including security by design, continuous vulnerability management, software bill of materials generation, and conformity assessment. Non-compliance carries fines up to €15 million or 2.5% of a company's total worldwide annual turnover, whichever is higher.
Neither requirement asks you to scan harder. Both ask you to know, with documentation, what is in your environment and where it came from, before an incident forces the question.
Manual Review Doesn't Scale at Machine Speed
The NCSC's advice to review new dependency versions manually is sound. It is also difficult to execute at the volume most organizations are now operating at. AI coding assistants have removed the pause that used to happen naturally, when a developer searched for a package, checked its last commit, and quietly filtered out anything that looked abandoned or off. A suggestion from an AI tool now appears inline and gets accepted in a single keystroke, with no equivalent moment of evaluation. The volume of open source dependencies entering a codebase is growing faster than any team reviewing each one by hand can keep pace with, and that gap only widens as agentic development scales.
Manual review is the right instinct applied at the wrong layer. It needs to happen before ingestion, at scale, continuously, which is a governance function rather than a task a security team can absorb one pull request at a time.
What Governance at the Point of Ingestion Actually Looks Like
ActiveState builds every component in its library of 79 million open source components across 12 language ecosystems directly from source, inside its own SLSA Level 3 build infrastructure. That is a different claim than checking someone else's attestation. ActiveState controls the build. A component only enters the ActiveState Curated Catalog after it clears that process, and when a community-approved fix becomes available, ActiveState rebuilds and redelivers it under contractual remediation SLAs of 5 business days for critical CVEs, 10 for high, and 30 for all others, against an industry average that lags upwards of 50+ days. Developers and AI coding assistants keep pulling packages the way they always have. What changes is where those packages come from before they ever reach a build.
FAQs
What did the UK NCSC actually recommend about open source dependencies?
The NCSC's June 4, 2026 guidance recommends reviewing how dependencies are introduced and updated, avoiding automatic adoption of new dependency versions without review, deploying through controlled CI/CD pipelines rather than developer devices, and securing credentials used by developer tooling. It builds on the voluntary Software Security Code of Practice published by the NCSC and the Department for Science, Innovation and Technology.
How did Mini Shai-Hulud produce a valid SLSA attestation?
Attackers stole OIDC tokens and hijacked a GitHub Actions runner mid-workflow, then published malicious package versions through the legitimate TanStack release pipeline using its own trusted identity. Because the pipeline itself produced the attestation, the certificate was technically accurate even though the packages it certified were malicious.
Does the EU Cyber Resilience Act apply to companies outside the EU?
Yes, if the product with digital elements is placed on the EU market. Manufacturers, importers, and distributors selling into the EU are subject to the CRA's obligations regardless of where the company is headquartered.
If scanning and attestation checks are not enough, what is?
Governance at the point of ingestion: building components from source inside controlled infrastructure before they reach a developer or an AI coding assistant, rather than verifying an artifact after someone else has already built it.
What is the difference between a scanner and a curated catalog?
A scanner finds what is already in your environment and generates a finding. A curated catalog controls what is allowed to enter your environment in the first place, so fewer findings get generated to begin with.