NPM supply-chain attack: 633 malicious packages with valid signatures

A supply-chain attack dubbed Mini Shai-Hulud pushed 633 malicious npm packages signed with valid Sigstore credentials from a compromised maintainer account, hitting roughly 6,000 machines via the Nx Console auto-update path and exfiltrating Claude Code configs and AWS keys. Valid signatures bypassed standard integrity checks, undermining Sigstore's trust model in practice. AI developers using Nx toolchains should audit credentials immediately.