npm SLSA provenance proves that a published version was built by a specific CI workflow from a specific source commit. It is a real, useful signal. It is also not proof of safety.

On May 11, 2026, the Mini Shai-Hulud worm published 84 malicious versions across 42 @tanstack/* packages — and at least some of those versions carried valid SLSA provenance. The attacker compromised a maintainer's CI credentials, so the attestation was technically truthful: "this package was built by tannerlinsley's GitHub Actions workflow." It just happened that the workflow had been hijacked. Provenance binds an artifact to a builder; it does not vouch for the builder.

provenance-watch surfaces both sides: which packages have provenance, and where that signal has been bypassed in the wild. Use it as one of several signals — alongside download history, maintainer activity, and dist-tag stability.