The timeline
On May 11, 2026, a malicious version of a routine JavaScript package shipped to npm. The build pipeline that produced it had been compromised, not the maintainer. The package carried a valid attestation. Established scanners returned green. Within hours it had self-propagated to 170+ downstream packages, exfiltrating AWS credentials, GitHub tokens, and npm publish keys from affected machines before the established defenses caught up.
[draft - full content pending - this section will walk hour-by-hour through the propagation, the IOCs that landed in scanner feeds, and the specific patterns that distinguished the malicious version from legitimate prior releases by the same maintainer.]
What an install-time gate would have done
Divergence scoring is the part of Supply Chain Guard's architecture designed for exactly this class. Rather than asking "is this package known-bad" (the scanner question), it asks "does this version diverge from prior versions by the same maintainer in patterns that match attack signatures?" New egress endpoints, new post-install hooks, new credential reads - those are the signals available at install time.
[draft - full content pending - this section will reconstruct the divergence vector for the actual worm version, show the score against the configured threshold, and walk through what the receipt body would have looked like.]
What a verified-publisher gate would have done
The other half of the SCG architecture is publisher-side: wrap npm publishso every release requires out-of-band approval. A stolen token alone is not enough. The diff hits the maintainer's phone or Slack, with the divergence score and the publish target. Approve, deny, or let it time out.
[draft - full content pending - this section will detail the HITL prompt payload, the timeout semantics, and the receipt schema for an approved publish vs a denied or expired one.]
Cross-references: Supply Chain Guard · vs Socket / Snyk / Aikido · founder's essay (Mini Shai-Hulud context)