a11oy · A Signature Is Not Proof of Safety

SZL Holdings thought leadership · What the May 2026 “Mini Shai-Hulud” npm worm taught us — and why a11oy is built for a world where the cryptography is genuine but the code is not. Every maturity claim labelled LIVE / ROADMAP; live claims wired to real a11oy endpoints (honest NO-LIVE-DATA fallback).
SZL Holdings · Thought Leadership · June 2026
A signature is not proof of safety.
The cryptography was genuine. The package was malicious anyway.

On May 11, 2026, a piece of malware did something the software industry had quietly assumed was impossible: it shipped with a valid, cryptographically signed SLSA Build Level 3 provenance attestation. The signature checked out. The provenance was genuine. The package was malicious anyway.

Stephen P. Lutar Jr., Founder & CEO, SZL Holdings · a-11-oy.com

1 · What happened

Mini Shai-Hulud — a signed supply-chain worm

Between May 10 and 12, 2026 — with the main publishing burst compressed into roughly five hours on May 11 — the threat group TeamPCP compromised more than 170 packages across the npm and PyPI ecosystems, publishing over 400 malicious versions spanning 19 namespaces. Affected projects had accumulated more than half a billion cumulative downloads. It is the first documented npm worm to propagate while carrying legitimately attested malicious packages.

The entry point was an orphaned CI/CD trust configuration in TanStack’s GitHub Actions workflows — a pull_request_target workflow that retained OIDC federation despite no longer being actively maintained. The attacker read short-lived OIDC tokens directly out of the GitHub Actions runner’s process memory (/proc/<pid>/mem), then exchanged those tokens with the Sigstore Fulcio certificate authority to mint legitimate signing certificates. From there: stolen OIDC token → short-lived npm publish token → malicious versions released under the real maintainer identity, with valid provenance describing the exact GitHub Actions job that produced them.

Nothing in the cryptographic chain failed. Sigstore did exactly what it is designed to do: it verified the identity of the token presenter. What it cannot do — what no signature can do — is verify that the build environment had not been compromised, or that the code executing inside that legitimate, identity-verified job was safe.

The provenance was accurate. It correctly described a build that produced malware. Phase 2 of the campaign reportedly reached infrastructure at OpenAI, Grafana, and GitHub itself.

The attack did not break the signature. It exploited the gap between identity verification and behavioural integrity. The signature told you who built it. It told you nothing about what it does.
2 · Why it matters

The signature-trust fallacy

A cryptographic signature answers two questions with mathematical confidence: who signed this, and what exact bytes were signed. It answers a third question — is the signed thing safe? — not at all. The industry has spent a decade conflating the first two with the third.

What a signature provesWhat it does NOT proveMini Shai-Hulud reality
Identity of the signer (the OIDC subject) That the signer’s environment was uncompromised OIDC tokens stolen from runner memory; identity genuine
The exact bytes that were signed That those bytes are safe to execute Provenance accurately described a malicious build
That a recognized pipeline produced the artifact That the pipeline behaved as intended Legitimate GitHub Actions job produced malware

SLSA and Sigstore are good. They are necessary but not sufficient. When a control becomes a checkbox — “signed: yes” — it stops being a security boundary and becomes a false sense of one.

3 · The lesson

Doctrine v11 — Signature ≠ Safety

“A signature is not proof of safety.” Trust the behaviour you can observe and the receipts you can replay — not the attestation you were handed.

The corollary is a posture we call behaviour-over-attestation. An attestation is a claim made at build time about the past. Behaviour is evidence gathered at runtime about the present. When the two disagree, behaviour wins. The rest of our doctrine follows from this: prove-or-downgrade (claim only what has a checkable artifact), label every value MEASURED MODELED SAMPLE, and never present an attestation as a guarantee. We do not claim a11oy is unbreakable. We claim it stops trusting the signature alone.

4 · How a11oy is architected for exactly this

Five mechanisms — each labelled LIVE-today vs ROADMAP

Below are the five mechanisms that make a11oy a structural answer to a Mini Shai-Hulud-class attack. We are explicit throughout about what is live today versus what is roadmap. The credibility comes from the honesty. Where a mechanism can be proven right now, the card binds to a real a11oy production endpoint below.

4.1LIVE — GAP1

Artifact-behaviour monitor

Observe what an artifact actually does at runtime and compare it against an expected behavioural envelope. A signature would have passed Mini Shai-Hulud straight through; a behaviour monitor asks the question the signature cannot — does this thing act the way a safe version of it should? Deny-by-default applied to behaviour, not identity.
Today: live as the GAP1 capability, backed by a certified live PINN (physics-informed) certificate from production APIs. Roadmap: broader behavioural-envelope catalogue per artifact class / ecosystem (npm, PyPI, container, model).
checking…PINN certificate
4.2LIVE

3-axis attestation

Single-axis attestation is the exact weakness Mini Shai-Hulud exploited: a valid build attestation, and nothing binding it to runtime behaviour. a11oy’s assurance mesh binds three axes — build provenance · model lineage · runtime behaviour — so compromise of any one axis does not silently pass the others. A genuine build signature riding on a malicious runtime fails the cross-axis check.
Today: 3-axis model + DSSE-signed verdicts/receipts in the live mesh. Roadmap: deeper third-party STIX/TAXII threat-intel correlation into the model + runtime axes.
checking…Compliance crosswalk
4.3LIVE

Hash-chained Forge ledger + kill switch

Every verdict is written to a hash-chained, offline-verifiable governance ledger (the Forge ledger), so any action is replayable after the fact and any decision is revocable through the kill switch. In a Mini Shai-Hulud scenario this is the difference between “we think we contained it” and “we can prove, line by line, what was admitted, when, and on what evidence — and revoke it now.”
Today: hash-chained ledger + kill switch live, with signed receipts (including MEASURED energy receipts via a real NVML exporter, kept distinct from any modeled figure). Roadmap: publishing ledger inclusion proofs to an external transparency service (§5).
4.4LIVE

Hybrid Ed25519 + ML-DSA & C2PA

We do not deprecate signing — we harden it and stop over-trusting it. a11oy signs with a hybrid Ed25519 + ML-DSA scheme so verdicts remain verifiable in a post-quantum world, and attaches C2PA content credentials so the provenance of generated content is transparent. This anticipates EU AI Act Article 50 transparency obligations.
Today: hybrid signing + C2PA implemented, alongside a NIST AI RMF / ISO 42001 / EU AI Act compliance crosswalk. Roadmap: third-party attestation of the crosswalk mapping ahead of enforcement.
4.5ROADMAP

SCITT-style independent transparency

The deepest lesson of Mini Shai-Hulud is that self-attestation is not enough: the build attested honestly to its own malicious output. Independent, append-only transparency ledgers — as standardized by IETF SCITT — let third parties verify receipts without trusting the producer.
Today: internal hash-chained ledger (4.3) is live and offline-verifiable. Roadmap: external SCITT-style transparency service with third-party inclusion proofs — we label this honestly as not-yet-live.
5 · The broader shift

From self-attestation to independent, behavioural assurance

EU AI Act · Article 50

Transparency obligations for AI-generated content take effect August 2, 2026. a11oy’s C2PA content credentials and hybrid signing (4.4) are built toward exactly this — provenance of generated content, transparent and verifiable.

IETF SCITT

Supply Chain Integrity, Transparency and Trust — independent, append-only ledgers that let third parties verify receipts without trusting the producer. The direct standards answer to the self-attestation gap (4.5, roadmap).

OMB · risk-based shift

The 2026 OMB action rescinding the prior secure-software-development self-attestation mandate in favor of a risk-based approach reflects the same realization: an attestation checkbox is not a risk control. Behaviour and replayable evidence are.

Tabletop it against a live instance

We are happy to walk through a Mini Shai-Hulud tabletop against a live a11oy instance — what the artifact-behaviour monitor would have flagged, what the 3-axis check would have rejected, and what the governance ledger would let you prove and revoke after the fact. Live signed APIs and the GAP1 behavioural monitor are available now at a-11-oy.com.

References
  1. Cloud Security Alliance, “Mini Shai-Hulud: When Signed Provenance Certified a Supply Chain Worm,” May 15, 2026. labs.cloudsecurityalliance.org
  2. Open Source For U, “Hackers Abuse GitHub Actions and SLSA Signing to Spread Malware Across Open Source Ecosystems,” May 14, 2026. opensourceforu.com
  3. EU AI Act Service Desk FAQ. ai-act-service-desk.ec.europa.eu; Latham & Watkins, “AI Act Update,” May 13, 2026. lw.com
  4. IETF SCITT Working Group, Datatracker (draft-ietf-scitt-architecture; draft-dawkins-scitt-ai-article50-00, filed May 25, 2026). datatracker.ietf.org/wg/scitt
  5. Wiley Law, “OMB Rescinds Secure Software Development Mandate in Favor of a Risk-Based Approach,” Jan 29, 2026. wiley.law
🌐Spaces