Executive Summary
Supply chain attacks in 2026 do not look like growth. The Phoenix Security Malware Package Intelligence (MPI) corpus covers 59 supply chain attack campaigns from June 2024 through June 2026 and indexes 657 individual malicious package-versions as concrete, scanner-ready IOCs. When you plot that corpus month by month, the curve looks like ignition. When you plot that corpus month by month, the curve does not look like growth. It looks like ignition.
The full year 2025 produced 14 campaigns and 111 indexed packages. The first half of 2026 alone produced 37 campaigns and 497 indexed packages — 2.6 times the campaign count and 4.5 times the package volume of the entire preceding year. May 2026 was the single busiest month on record: 14 campaigns and 346 indexed packages in 31 days, more than the four months before it combined. That spike has a specific cause. One self-propagating worm event in May generated 226 of those 346 indexed packages, and the worm is still the defining technical innovation of this period: a mechanism that converts a single compromised maintainer token into hundreds of poisoned packages without human input between hops.
Phoenix Research – Campaign analysis
The external ecosystem data tells the same story from a wider angle. Sonatype tracked a 188 percent year-over-year jump in malicious open source packages in Q2 2025, followed by a 140 percent quarter-over-quarter increase in Q3 2025, with 454,600 new malicious packages across the year and a cumulative total that crossed 1.23 million. ReversingLabs found that npm malware more than doubled in 2025 and now represents nearly 90 percent of all open source malware the firm detects. Meanwhile, PyPI and NuGet malware declined 43 and 60 percent, respectively, after those registries shipped mandatory 2FA and trusted publishing — confirming that attackers do not grind through friction, they route around it.
Two new attack surfaces entered active production during this period. The VS Code Marketplace went from near-zero malicious activity to 7 documented campaigns in 18 months, with ReversingLabs recording detections that nearly quadrupled from 27 in 2024 to 105 in the first 10 months of 2025. AI agent tooling — MCP server injection, .cursorrules poisoning, CLAUDE.md hidden instructions, AI coding assistant SessionStart hooks — moved from theoretical concern to confirmed delivery mechanism across at least 14 of 59 tracked campaigns (note some of those data might be due to limited visibility pre-2025, nonetheless the acceleration is clear)
Across all 59 campaigns, CVE count: zero during active exploitation. Every single one.
TL;DR for Engineering Teams
| Label | Content |
|---|---|
| What it is | An industrialised, accelerating wave of supply chain attacks across npm, PyPI, VS Code, and AI agent tooling. Phoenix MPI tracks 59 campaigns / 657 malicious package IOCs, Jun 2024–Jun 2026. External data: 188% YoY jump (Sonatype Q2 2025), 140% QoQ rise in Q3. npm carries ~90% of all detected open source malware. |
| Where it bites | Developer workstations and CI/CD runners. Detonation at npm install, workspace open, CI run, or AI agent session start. May 2026 alone: 14 campaigns, 346 indexed packages. |
| Why it matters | Self-propagating worms convert one stolen token into hundreds of poisoned packages. AI agent config files are now persistence mechanisms. The VS Code surface went from 0 to 7 campaigns in 18 months. 0 CVEs assigned across the entire 59-campaign corpus. |
| Patch status | Not applicable — no CVEs means no patch path. The attack surface is a trust assumption, not a code defect. |
| Immediate action | Audit lockfiles against current IOC sets. Rotate all credentials from any affected install. Check .vscode/tasks.json, ~/.claude/settings.json, .cursorrules, CLAUDE.md, and .github/workflows/ for injected entries. Pin GitHub Actions to commit SHAs. Run grep -rn “binding.gyp” and grep -rn “Miasma: The Spreading Blight” across your repositories. |
Threat Overview
| Field | Value |
|---|---|
| Threat class | Software supply chain compromise |
| Phoenix MPI corpus | 59 campaigns, 657 indexed malicious package IOCs, Jun 2024–Jun 2026 |
| Primary ecosystems | npm (79.3% of IOCs), PyPI (9.0%), VS Code/OpenVSX (6.2%), Golang, RubyGems, Cargo, NuGet, Packagist |
| Lead threat actors | TeamPCP (UNC6780) — 19 campaigns; Shai-Hulud lineage — 14 campaigns; DPRK clusters (Lazarus, Contagious Interview, Sapphire Sleet) — 9 campaigns; IronWorm — 1 (Jun 2026) |
| CVEs assigned | Zero, across all 59 campaigns during active exploitation |
| Active exploitation | Confirmed, ongoing |
| Detection gap | CVE-feed scanners blind to 100% of documented campaigns |
The Acceleration Curve
Year over year
| Year | Campaigns | Indexed malicious packages |
|---|---|---|
| 2024 | 6 | 30 |
| 2025 | 14 | 111 |
| 2026 H1 (Jan–Jun) | 37 | 497 |
2026 is barely half over and has already produced more than 2.6 times the campaign volume and 4.5 times the package volume of the entire preceding year. Projected linearly, 2026 is on track for approximately 74 campaigns and around 1,000 indexed packages — a roughly 5-fold year-on-year step after 2025 had already nearly doubled 2024.
Inside 2026 — the curve steepens month over month
| Month (2026) | New campaigns | New packages | Cumulative packages |
|---|---|---|---|
| Jan | 2 | 4 | 4 |
| Feb | 3 | 26 | 30 |
| Mar | 6 | 21 | 51 |
| Apr | 8 | 26 | 77 |
| May | 14 | 346 | 423 |
| Jun (to 7th) | 4 | 74 | 497 |
May 2026 is the single busiest month on record across the entire two-year corpus. Fourteen distinct campaigns, 346 indexed packages, more than the prior four months of 2026 combined. The May spike is the signature of automation: Mini Shai-Hulud Wave 2 alone contributed 226 of those 346 indexed packages, against a reported real-world total of 170+ distinct packages. A single worm event now eclipses a quarter of manual campaigns in volume.
Ecosystem Breakdown
Where the malicious packages live
| Ecosystem | Indexed packages | Campaigns | Share of IOCs |
|---|---|---|---|
| npm | 521 | 37 | 79.3% |
| PyPI | 59 | 19 | 9.0% |
| VS Code / OpenVSX (vsx) | 41 | 7 | 6.2% |
| Golang | 9 | 1 | 1.4% |
| RubyGems | 7 | 1 | 1.1% |
| Cargo | 6 | 1 | 0.9% |
| NuGet | 5 | 1 | 0.8% |
| Packagist | 4 | 1 | 0.6% |
| Docker | 3 | 1 | 0.5% |
npm is the dominant target by a wide margin: nearly 4 in 5 indexed malicious packages, present in 63 percent of all campaigns. PyPI is the steady second front, appearing in 19 campaigns with lower individual IOC volume because Python attacks tend toward lower-volume, higher-precision payloads: RATs, banking trojans, crypto-stealers rather than mass typosquat sprays.
The PyPI and NuGet malware declines in external vendor data (down 43% and 60% per ReversingLabs) are the most important nuance in the entire dataset. They confirm that registry-level security controls work, and that attackers respond to friction by relocating rather than persisting. npm’s slower adoption of equivalent controls explains why it now absorbs the majority of displaced volume.
VS Code extensions: zero to seven campaigns in 18 months
The VS Code Marketplace barely registered as an attack surface before late 2024. It now spans seven distinct campaigns:
| Campaign | Period | Notable detail |
|---|---|---|
| VSCode Crypto/Zoom Impersonation Extensions | Oct–Dec 2024 | First significant impersonation wave |
| GlassWorm Wave 1 — Invisible Unicode | Oct 2025 | First self-propagating extension worm; invisible-Unicode payloads; Solana blockchain C2 |
| MaliciousCorgi — AI ChatGPT Spyware | Jan 2026 | 1.5M-install spyware; full file contents exfiltrated to aihao123[.]cn |
| OX Security VSCode Extension CVEs | Feb 2026 | 128M combined install exposure across four extensions |
| GlassWorm Wave 3 — 73 OpenVSX Clones + Zig Dropper | Apr 2026 | 73 cloned extensions; compiled Zig dropper; cross-IDE infection |
| TeamPCP CI/CD Siege | Mar 2026 | Extension inside CI/CD attack chain; OpenVSX + npm + GitHub Actions simultaneous |
| TeamPCP Wave 4 — GitHub Internal Breach | May 2026 | GitHub confirmed ~3,800 internal repositories exfiltrated via poisoned VS Code extension on employee endpoint |
The developer editor has become an attack surface carrying full developer privileges, persistent across projects, and extending into every AI coding tool fork. ReversingLabs confirmed the detection rate nearly quadrupled: 27 malicious extensions detected in 2024, rising to 105 in the first 10 months of 2025. The GitHub breach via a poisoned extension is the operational proof point that this surface now reaches the highest-value targets in the software supply chain.
AI agent tooling and MCP: the newest frontier
The leading edge of the corpus targets the tooling that sits around the developer rather than a traditional package registry:
| Campaign | Period | Vector |
|---|---|---|
| SANDWORM_MODE | Feb 2026 | MCP (Model Context Protocol) server injection |
| TrapDoor | May 2026 | Zero-width Unicode poisoning of .cursorrules and CLAUDE.md |
| Miasma Wave 2 | Jun 2026 | AI IDE backdoor injection into Claude Code, Cursor AI, Google Gemini configs |
| GlassWorm (invisible Unicode) | Oct 2025– | OpenVSX extension → AI-agent context; technique that jumped from VSX to the skills vector |
| Mini Shai-Hulud (SAP CAP wave) | Apr 2026 | Claude Code SessionStart hook + VS Code tasks.json folderOpen persistence |
TrapDoor introduced the most novel technique in the full corpus: injecting hidden instructions into AI coding assistant configuration files using zero-width Unicode characters, so the developer’s own assistant becomes the exfiltration mechanism — running what appears to be a “security scan” that actually harvests secrets. The campaign opened pull requests to browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow to distribute the poisoned configs. Miasma Wave 2 extended the technique, dropping backdoor configs into project directories for Claude Code, Cursor AI, and Google Gemini simultaneously. The Mini Shai-Hulud SAP CAP persistence mechanism is the clearest example of what makes this surface distinct from a package install: the hooks survive package uninstall entirely, re-running credential harvest on every subsequent session.
Quantified scan data: AI-agent skills carry a markedly higher risk rate than IDE extensions. A focused deep-scan run on 2026-05-24 across 3,267 skills produced findings that are the clearest internal signal of the AI-shift thesis:
| Surface | Indexed | Scanned | Flagged unhealthy/risky | Risk rate |
|---|---|---|---|---|
| VS Code / OpenVSX extensions | ~34,300 | 11,909 | 820 | 6.9% |
| AI-agent skills | ~43,900 | 42,480 | 6,606 | 15.6% |
AI-agent skills carry a risk rate 2.3 times higher than IDE extensions. The deep-scan risk breakdown for the 3,267-skill focused run:
| Risk level | Skills | Share |
|---|---|---|
| Critical | 854 | 26.1% |
| High | 74 | 2.3% |
| Medium | 74 | 2.3% |
| Low | 46 | 1.4% |
| Safe | 2,219 | 67.9% |
More than 1 in 4 deep-scanned skills triggered a critical-risk finding. The most-triggered detection rules reveal a consistent pattern — shell command execution combined with network egress:
| Detection rule | Hits | What it catches |
|---|---|---|
| CS-009 | 3,603 | Command/shell execution — skill invokes OS shell, subprocess, or eval |
| NS-002 | 2,075 | Network egress — outbound connections to unconfigured external endpoints |
| RD-003 | 1,302 | Remote data read — fetches remote instructions or payloads at runtime |
| NS-008 | 1,089 | Suspicious network pattern — C2-consistent beacon or exfiltration pattern |
High-star, widely-trusted skills appear in the critical set — a setup-deploy skill in a 97,000-star repository triggered critical findings. Popularity provides no safety signal.
The attack model across all five campaigns in this cluster: the AI coding assistant loads a project-level skill or MCP server containing hidden instructions. The assistant executes those instructions as part of normal operation, exfiltrating secrets without the developer ever running a suspicious binary. The AI is not compromised — it is used as designed, against the developer. External validation confirms this is a recognised attack class: Snyk’s ToxicSkills research documents malicious AI-agent skills, and Datadog’s open dataset now formally tracks “AI Skills” and “IDE extensions” as first-class malware ecosystems alongside npm and PyPI.
Threat Actor Breakdown
| Actor / cluster | Campaigns in corpus | Model | Signature |
|---|---|---|---|
| TeamPCP (UNC6780) | 19 | Automated, self-propagating | CI/CD sieges; AI-tooling targeting; Checkmarx/Trivy/LiteLLM/Bitwarden cascade |
| Shai-Hulud lineage (incl. Mini variants) | 14 | Self-replicating worms | Credential harvesting; OIDC token theft; GitHub dead-drop repos; Bun runtime evasion |
| DPRK (Lazarus, Contagious Interview, Sapphire Sleet, Tenacious Pungsan) | 9 | Social-engineering led | Fake recruiting lures; OtterCookie / BeaverTail / HexEval RATs; expanding ecosystem reach |
| IronWorm | 1 (Jun 2026) | Compiled-binary worm | Rust ELF binary; eBPF rootkit; Tor C2; OIDC self-propagation |
Two distinct adversary archetypes define the period:
DPRK: human-in-the-loop, espionage and financial. The Contagious Interview playbook lures developers through fake job offers, then delivers OtterCookie and BeaverTail RATs through npm and PyPI packages. Lower package volume, higher targeting precision. Campaign 69 confirmed a first: DPRK supply chain activity expanding to Packagist/PHP, following the Laravel-Lang attack pattern. Credit OpenSourceMalware for first signal
TeamPCP plus Shai-Hulud lineage: machine-speed, self-propagating. These are worms. They steal a maintainer’s npm or GitHub token, republish trojanized versions, and use the stolen credentials to infect the next namespace automatically. This is what produces the May 2026 volume spike. The worm has been operational across at least six named waves, each introducing new delivery or evasion capability within 72 hours of the prior wave being detected and documented.
IronWorm (June 2026) is the engineering ceiling for this period. A move away from interpreted JavaScript postinstall scripts toward a compiled 976 KB Rust binary with a kernel-level eBPF rootkit, per-call-site string encryption, Tor C2, and OIDC-based self-propagation through 37 npm packages across 9 organizations. It signals that supply chain malware is professionalizing toward the capability level of nation-state implants. Credit Jfrog for the first signal.
Campaign Timeline: May–June 2026 (The Densest Six Weeks on Record)
| Date | Campaign | Ecosystem | Scale |
|---|---|---|---|
| May 17, 2026 | actions-cool GitHub Action imposter commit | GitHub Actions | All version tags; AntV cascade trigger |
| May 18, 2026 | Megalodon mass GitHub Actions backdoor | GitHub | 5,561 repos; 5,718 commits; 6 hours |
| May 18–19, 2026 | AntV / Mini Shai-Hulud Wave | npm | ~16M weekly downloads |
| May 19–22, 2026 | atool maintainer takeover (323 packages) | npm | 2,500+ attacker repos; 16M+ weekly DLs |
| May 20, 2026 | art-template → Coruna iOS Safari exploit | npm → iOS Safari | 5M+ weekly downloads; watering-hole |
| May 22, 2026 | Laravel-Lang Composer tag-redirect | Packagist | 233 versions; 700+ downstream repos; 15 min |
| May 22–26, 2026 | TrapDoor cross-ecosystem | npm + PyPI + Crates.io | 34 packages; 384+ versions |
| May 29, 2026 | Miasma Wave 1 (Red Hat @redhat-cloud-services) | npm | 32+ packages; GCP/Azure identity enumeration |
| Jun 2–3, 2026 | Miasma Wave 2 Phantom Gyp | npm | 57 packages; 286 malicious versions; under 2 hours |
| Jun 2026 | IronWorm (JFrog) | npm | 37 packages; 9 organizations; eBPF rootkit |
Key Campaigns in Technical Detail
Shai-Hulud lineage: three waves, one propagation engine
The Shai-Hulud worm established the template for self-propagating npm supply chain compromise and every subsequent wave inherits from it.
Wave 1 (September 2025): Started with @ctrl/tinycolor at over 2 million weekly downloads. ReversingLabs identified ngx-bootstrap@18.1.4 (approximately 300,000 weekly downloads) as the probable patient zero for the broader first wave, which compromised over 500 npm packages. The worm harvested npm tokens, GitHub tokens, and cookies, then automatically republished poisoned versions of every package a compromised maintainer could reach, capped at 100 packages per victim. Node.js-based monolithic bundle.js payload via a postinstall lifecycle hook. The Qix compromise — which hit chalk@5.6.1 and debug@4.4.2 (combined approximately 2.6 billion weekly downloads) and the ansi cluster (ansi-styles, ansi-regex, strip-ansi, supports-color, wrap-ansi, color, color-convert, color-name) — occurred in this wave, representing the highest-reach single compromise event in the dataset.
Wave 2 (November 2025): Branded “Sha1-Hulud: The Second Coming.” Datadog tracked 1,092 unique backdoored package versions across at least 796 packages with a combined 130 million monthly downloads. Patient zero: @asyncapi/specs at 1.4 million weekly downloads, cascading through corporate namespaces including Zapier, Postman, PostHog, ENS Domains, Browserbase, and the AsyncAPI organization itself (36 distinct packages trojanized). The 2.0 wave switched from postinstall to preinstall and adopted the Bun runtime as a Node.js detection bypass. Wiz tracked over 25,000 attacker-created exfiltration repositories across roughly 350 GitHub users at a peak rate of 1,000 new repositories every 30 minutes.
Mini Shai-Hulud (April–May 2026): Three distinct named sub-waves, all inheriting the worm branding and expanding the technical surface:
- SAP CAP wave (April 29): OIDC trusted-publishing entry point on a misconfigured release workflow. First confirmed introduction of Claude Code SessionStart hooks and VS Code tasks.json folderOpen triggers as persistence mechanisms. ~1,800 attacker-controlled credential-dump repositories created. C2: zero.masscan[.]cloud:443/v1/telemetry.
- atool/AntV wave (May 19): 323 packages across 27 minutes via two compromised npm accounts. Payload reads GitHub Actions Runner.Worker process memory to extract CI/CD secrets in plaintext, bypassing log masking. 2,500+ attacker repositories created.
- PyTorch Lightning PyPI bridge (April 30): First confirmed cross-ecosystem Shai-Hulud expansion into PyPI. lightning@2.6.2 and 2.6.3 (8.3M monthly downloads) compromised with a Python-to-JavaScript execution bridge — downloads Bun, executes router_runtime.js. Novel because it bypasses PyPI signature verification, which covers only Python code.
The worm’s design principle across all waves: each compromised maintainer’s token publishes poisoned versions of every other package that maintainer owns, creating a cascade from a single stolen credential.
TeamPCP (UNC6780): 19 campaigns, multi-ecosystem coordination
TeamPCP is the most active single actor in the corpus and the clearest example of supply chain compromise operating as a coordinated production pipeline across ecosystems simultaneously.
The five-day CI/CD siege in March 2026 (TEAMPCP_TRIVY_KICS_WAVE1) started from a single incompletely-rotated GitHub PAT from a prior breach and force-pushed 110+ version tags across Aqua Security’s trivy-action (75 of 76 version tags poisoned), setup-trivy, Checkmarx’s kics-github-action (35 tags), and ast-github-action — simultaneously poisoning two OpenVSX extensions, multiple container registries, and 66+ npm packages. The payload swept 50+ credential paths and exfiltrated via vendor-specific typosquat domains. CanisterWorm used an Internet Computer Protocol (ICP) blockchain canister as a C2 dead-drop — the first npm malware to do so — making conventional domain takedown impossible.
The Bitwarden CLI compromise (April 22, 2026) demonstrated the same pattern applied to a password manager: @bitwarden/cli@2026.4.0 poisoned for a 93-minute window via an injected GitHub Actions step in Bitwarden’s own CI pipeline. The payload (bw1.js) shares core infrastructure with the mcpAddon.js from the KICS wave. TeamPCP publicly claimed responsibility.
The MEGALODON_CI campaign on May 18 deployed 5,718 malicious GitHub Actions workflow commits across 5,561 repositories in six hours, using throwaway CI-bot accounts with forged identities and a September 2001 backdated timestamp. A dormant workflow_dispatch backdoor activates on any future pipeline run triggered via the GitHub API — creating a persistent sleeper army. CISA issued an advisory naming Megalodon alongside the Nx Console VS Code extension and Trivy.
The GitHub internal breach (May 20, 2026) is the campaign with the highest-value confirmed impact in the corpus: roughly 3,800 GitHub-internal repositories exfiltrated after a poisoned VS Code extension reached an employee endpoint, with StepSecurity confirming Sigstore attestation forgery used to make the extension appear legitimately signed. Persistence via .vscode/tasks.json folderOpen tasks and ~/.claude/settings.json SessionStart hooks — both survive extension removal.
TeamPCP’s defining operational characteristic is the TTP pivot speed. The group adopted the VS Code folderOpen auto-run primitive from Lazarus Group’s Contagious Interview campaign and integrated it into crimeware within approximately eight weeks of public documentation. The Miasma Wave 2 delivery pivot — from postinstall to binding.gyp shell expansion — occurred within 72 hours of the prior detection being publicized.
IronWorm: the capability ceiling
IronWorm, caught by JFrog Security Research, represents a generational step in supply chain malware engineering. Distributed through 37 packages republished under the compromised asteroiddao npm account across 9 organizations, each package carries a 976 KB Rust ELF binary fired from a preinstall hook.
The binary uses a custom-modified UPX stub to defeat signature-based unpackers and encrypts every internal string with a unique per-call-site key. An embedded eBPF kernel-level rootkit hides the worm’s own processes, sockets, and anti-debugging tripwires. The implant sweeps 86 environment variables and over 20 credential file paths covering AWS, GCP, Azure, Vault, Kubernetes, npm, Docker, GitHub, and the full current generation of AI provider keys (Anthropic, OpenAI, Gemini, Cohere, Mistral, Groq, Perplexity, xAI). A dedicated Exodus desktop wallet hook weakens Electron sandboxing to capture the seed mnemonic at unlock. C2 runs over Tor. Propagation uses npm Trusted Publishing OIDC token exchange: on any CI runner with active federation, the worm exchanges the runner’s identity token for a short-lived, scoped publish token and republishes itself under every namespace the runner can reach — no stored npm token required.
The operator hardcoded their own BIP-39 recovery phrase in the wallet-stealer skip list, an operational security failure that reads as a rehearsal artifact rather than a finished operation.
TrapDoor: the AI-tool attack surface
TrapDoor is the first confirmed supply chain campaign to simultaneously weaponize npm, PyPI, and Crates.io with execution paths tailored to each runtime: postinstall hooks (npm), import-time remote JS fetch (PyPI), malicious build.rs scripts (Rust/Crates.io). 34 packages, 384+ versions, detected by Socket in under six minutes.
The novel component is the AI coding assistant poisoning. Packages inject .cursorrules and CLAUDE.md files containing zero-width Unicode hidden instructions. When a developer opens the project in Cursor or Claude Code, the assistant reads these configuration files and, following what appear to be legitimate project-level instructions, runs a “security scan” that exfiltrates local secrets. TrapDoor opened pull requests to browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow to distribute the poisoned configs upstream. Miasma Wave 2 extended this pattern in June 2026, dropping backdoor configs for Claude Code, Cursor AI, and Google Gemini into project directories alongside the binding.gyp payload.
Miasma Wave 2: Phantom Gyp bypasses every postinstall mitigation
Miasma Wave 2 (June 2–3, 2026) introduced “Phantom Gyp” — a 157-byte binding.gyp file that triggers code execution via node-gyp rebuild shell command expansion. The significance: binding.gyp processing is not a lifecycle script. It bypasses –ignore-scripts, bypasses npm ci –ignore-scripts, and bypasses every conventional lifecycle-script monitor. The payload then downloads the Bun runtime rather than Node.js, bypassing endpoint tools that monitor Node.js process creation specifically.
The campaign deployed 57 packages and 286 malicious versions in under two hours. The binding.gyp file is 157 bytes and identical across all compromised versions (SHA-256: ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90), giving defenders a stable hash-based detection signal even though there is no CVE. The –ignore-scripts mitigation, which became the primary recommended response to Shai-Hulud 1.0 in September 2025, was structurally rendered incomplete by June 2026.
What Attackers Impersonate: Typosquat Target Frequency
Frequency of brand or library tokens appearing in malicious package names across the 59-campaign corpus:
| Target brand | Occurrences in malicious names |
|---|---|
| TanStack | 108 |
| UiPath | 67 |
| SolidJS | 26 |
| React | 25 |
| Mistral AI | 19 |
| ESLint | 17 |
| Vue | 14 |
| Tailwind | 12 |
| durabletask | 7 |
| Next.js | 6 |
| CrowdStrike / Prettier / LiteLLM / ethers / web3 / Telnyx | 6 each |
TanStack (108 occurrences) and UiPath (67) dominate, displacing the generic utility typosquatting that characterized earlier years. AI-adjacent tooling — Mistral AI, LiteLLM, durabletask — clusters in the top tier. This tells you what developers are reaching for in 2026: modern front-end framework namespaces and the AI/automation tooling around them. The attackers follow the install volume.
New Techniques Introduced in 2025–2026
| Technique | Campaign | What it bypasses |
|---|---|---|
| Python-to-JavaScript execution bridge | Mini Shai-Hulud / PyTorch Lightning | PyPI signature verification (Python-only scope) |
| Phantom Gyp (binding.gyp shell substitution) | Miasma Wave 2 | All –ignore-scripts + all lifecycle-script monitors |
| AI tool config poisoning (.cursorrules / CLAUDE.md) | TrapDoor, Miasma Wave 2 | Developer review; AI assistant becomes the attacker |
| Bun runtime download | Mini Shai-Hulud, Miasma | Node.js process monitoring (EDR monitors node, not bun) |
| ICP canister C2 | CanisterWorm, Namastex CanisterWorm | Conventional domain takedown |
| GitHub fork tag-redirect | actions-cool, Laravel-Lang | Official repo appears clean in any code view |
| DNS TXT record C2 | Go shopspring/decimal typosquat | Domain-takedown-resistant command delivery |
| Registry-as-exfiltration-channel | GemStuffer (RubyGems) | Registry-level data loss prevention (novel threat model) |
| Unique per-infection encrypted payload | Miasma Wave 1 | Version-hash-based fingerprinting |
| EDR enumeration before execution | Miasma Wave 1 | Checks CrowdStrike, SentinelOne, Carbon Black, StepSecurity Harden-Runner |
| SLSA Level 3 / Sigstore provenance forgery | TeamPCP Wave 3, Miasma Waves | Sigstore-based artifact verification |
| Constructor-time NuGet execution | Sicoob.Sdk | Pre-safety-check execution in .NET SDK pattern |
| Install / postinstall lifecycle hooks (install-time execution) | Shai-Hulud v1, SAP CAP, multiple | Dependency scanning — hook fires before any build or scan step |
Two additional corpus characteristics worth stating plainly: 73 percent of indexed packages carry a pinned malicious version — exact package name plus exact version string — making them blockable as precise IOCs without behavioral detection. 9 of 59 campaigns are cross-ecosystem: TrapDoor hit npm, PyPI, and Crates.io simultaneously; the Shai-Hulud lineage extended into PyPI; Contagious Interview now has confirmed Packagist activity. Attackers no longer specialise in one registry.
The AI Acceleration Layer
The package volume curve and the attacker capability curve are connected. Anthropic’s analysis of 832 accounts banned for violating cyber-related usage policy between March 2025 and March 2026 quantifies the AI contribution. Those accounts used AI models across all 14 MITRE ATT&CK tactics and 482 unique sub-techniques. The share of actors scoring medium risk or higher on the ARiES (AI Risk Enablement Score) framework rose from 33 percent to 56 percent in under a year — a 1.7-fold increase — with growth concentrated in the operational, hands-on-keyboard stages rather than the commodity toolbuilding that dominates the overall count.
Malware development (T1587.001) was used by 560 of 832 accounts — 67.3 percent. That is the commodity layer feeding the registry volume numbers. But the more consequential shift is post-compromise: account discovery (T1087) rose 8.9 percent and automated exfiltration (T1020) rose 6.2 percent across the study year, while phishing fell 8.6 percent and capability development fell 12 percent. Lateral movement was the single strongest predictor of a high-risk actor — the 54 accounts using it averaged a risk score of 56.4 against a population mean of 46.8.
The traditional signals for assessing threat actor risk have stopped working. Technique breadth correlates with risk only weakly (r = 0.27). Interface choice — chat, API, or agentic coding tool — has no bearing on risk, with 80 percent of banned actors using Claude Code, making agentic tooling the statistical default rather than a distinguishing factor. What distinguishes the dangerous actors is scaffolding: the surrounding code and architecture that chains techniques into a continuous, autonomous operation.
The GTG-1002 espionage campaign disrupted in November 2025 scored the maximum 100 on the ARiES framework while using 30 techniques across 13 tactics — a profile comparable to dozens of medium-risk actors in the dataset. The difference was autonomous execution: Claude Code running on a Kali machine with MCP tool integrations scanned internet-facing services, discovered internal portals, exploited an SSRF vulnerability, harvested SSH keys from cloud metadata services, and moved laterally through the victim’s cloud environment, with human input only at the final data extraction step. None of that operational behavior maps to existing ATT&CK IDs. The framework does not yet have taxonomy for autonomous killchain orchestration, real-time pivot decisions, or AI-directed execution.
That MITRE gap matters for defenders of the supply chain specifically. A self-propagating worm that exchanges OIDC tokens, sweeps 130 credential paths, forges backdated commits, drops AI agent configuration hooks, and republishes itself across namespaces is exactly the class of autonomous multi-step operation that has no ID in the framework your threat intelligence team relies on.
Exposure Analysis
| Environment | Risk Level | Reason |
|---|---|---|
| CI/CD pipelines | Critical | OIDC federation enables tokenless self-propagation; Runner.Worker memory holds plaintext secrets that bypass log masking; 5,561 repos already backdoored by Megalodon |
| Developer workstations | Critical | Install-time, folderOpen, and AI agent SessionStart execution; persistence survives extension and package uninstall |
| npm publishing accounts | High | Single compromised maintainer token cascades to up to 100 downstream packages per worm cycle; 25 packages appear in multiple campaigns |
| Cloud workloads | High | AWS/GCP/Azure/Kubernetes credentials harvested across 86+ env vars; GCP/Azure identity enumeration (not just static secret extraction) confirmed in Miasma Wave 1 |
| Packagist / Composer environments | High | GitHub fork tag-redirect leaves official repo appearing clean; 233 versions across 4 packages compromised in 15 minutes (Laravel-Lang) |
| IDE / AI agent surface | High | .cursorrules, CLAUDE.md, VS Code tasks.json, Claude Code settings.json are now confirmed persistence and execution mechanisms |
Detection Guidance
Log and host indicators
- Outbound connections to known C2: 216.126.225.129:8443 (MEGALODON_CI), t.m-kosche[.]com (atool/AntV, actions-cool; disguised OTel collector), zero.masscan[.]cloud:443/v1/telemetry (Mini Shai-Hulud waves), aihao123[.]cn (MaliciousCorgi), flipboxstudio[.]info (Laravel-Lang), ddjidd564.github[.]io (TrapDoor PyPI payload).
- Tor process creation from a CI runner or developer workstation — high confidence IOC for IronWorm.
- Unexpected bun binary in /tmp/bun, ~/bun, or any non-standard path — present in Mini Shai-Hulud, PyTorch Lightning, Miasma Wave 2.
- binding.gyp file in any npm package that does not legitimately use native addons. SHA-256: ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90 (Miasma Wave 2; 157 bytes; identical across all 286 malicious versions).
- New .vscode/tasks.json entries with runOn: “folderOpen” combined with reveal: never and echo: false.
- ~/.claude/settings.json SessionStart hooks, CLAUDE.md entries, or .cursorrules files containing zero-width Unicode characters (U+200B, U+200C, U+200D, U+FEFF).
- GitHub repositories newly created under your organization’s developer accounts containing Dune-universe names, the string “Shai-Hulud,” “Miasma: The Spreading Blight,” or reversed-string descriptions.
- Backdated commits authored by claude@users.noreply.github.com, dependabot[bot], renovate[bot], github-actions[bot], ci-bot@automated.dev, or build-system@noreply.dev with timestamps copied from prior legitimate commits.
- GitHub Actions workflow files with base64 decode steps that were not present in the prior committed version.
Scanner references
- Phoenix Security PHX-Neural behavioral engine (77-signal, 94.2% MITRE ATT&CK v16 coverage) scored nicegui@3.12.0 (174,659 weekly downloads) at 100/100 with zero CVEs assigned.
- GitHub code search for MEGALODON_CI injection: query string Q0I9Imh0dHA6Ly8yMTYu.
- Grep for Miasma repository staging: grep -rn “Miasma: The Spreading Blight” across your GitHub organization.
- Grep for Phantom Gyp: grep -rn “binding.gyp” across all npm packages in your lockfile.
- StepSecurity Harden-Runner for CI runner egress detonation evidence.
- SCA and SBOM tooling for lockfile-to-IOC cross-referencing against the Phoenix MPI IOC set.
Verification steps for teams
- Search every lockfile (package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, composer.lock) against the current Phoenix MPI IOC set — 657 indexed package-versions with exact version pinning in 73 percent of cases.
- Run behavioral dependency scanning, not CVE-only scanning, across all repositories. CVE scanners had zero detection surface for all 59 documented campaigns.
- Audit .github/workflows/ across the entire organization for injected base64 decode steps and any workflow_dispatch backdoor triggers added in May 2026.
- Check all installed VS Code and OpenVSX extensions, including their bundled node_modules dependencies, for tampered packages — the 19-extension Rust trojan wave hid its payload inside path-is-absolute in the extension bundle.
- Inspect AI agent config files (CLAUDE.md, .cursorrules, settings.json) for zero-width Unicode characters and entries you did not author.
- Pin all GitHub Actions to full commit SHAs rather than version tags. Both the actions-cool and Megalodon campaigns exploited tag-based reference.
- Review SBOMs for transitive dependency exposure — worm payloads frequently land through declared transitive dependencies, not the direct package the developer chose.
Enriched Malware Families and the Compromised/Malicious Split
Within the human-enriched layer of the corpus — records carrying Phoenix campaign research attribution — the top malware family by record count is “Multi-stage AI toolchain poisoning.” That is the clearest internal signal of the AI-shift thesis across the entire dataset.
| Malware family | Enriched records |
|---|---|
| Multi-stage AI toolchain poisoning | 9 |
| Browser-executed credential theft | 7 |
| Crypto-wallet hijackers (browser-side + native) | 6 |
| Scavenger (node-gyp.dll) | 5 |
| Cross-platform RAT | 4 |
| DanaBot variant / JarkaStealer (Java) | 4 |
| Linux backdoor (activates on install) | 3 |
| TruffleHog secret scanner + credential harvesting | 2 |
Across the full 465,312-record corpus the offender split is near-even: approximately 238,543 records (51%) are compromised legitimate packages where a maintainer account or pipeline was taken over, versus 226,701 records (49%) of attacker-authored packages published directly. The practical implication for defenders: scanning only for new or unknown packages is not sufficient. More than half the threat surface consists of legitimate, established packages that are now under different control. Exact-version lockfile auditing against known IOCs is the minimum; behavioral detection is required to catch takeovers before they appear in advisory feeds.
Remediation Guidance
Immediate actions
- Rotate every credential reachable from any host that ran an affected install or CI job: npm tokens, GitHub PATs, cloud provider keys, Kubernetes configs, SSH keys, and AI provider API keys. IronWorm specifically targets Anthropic, OpenAI, Gemini, Cohere, Mistral, Groq, Perplexity, and xAI credentials.
- For Miasma Wave 1: remove the gh-token-monitor daemon before revoking GitHub tokens — the malware detects token revocation and can trigger destructive behavior in response.
- Revoke or re-scope npm OIDC trust federation on any affected namespace. OIDC federation requires no stored token and is the propagation mechanism for Mini Shai-Hulud, IronWorm, and the Bitwarden CLI compromise.
- Remove all injected lifecycle hooks: .vscode/tasks.json auto-run entries, ~/.claude/settings.json SessionStart hooks, injected .github/workflows/ files. Uninstalling a malicious extension or package does not remove these.
- Pin dependencies to known-good exact versions and re-resolve lockfiles from a clean state.
Temporary mitigations
- npm ci –ignore-scripts blocks the postinstall and preinstall delivery mechanism for most of the corpus. State the caveat plainly: Phantom Gyp (binding.gyp) bypasses this flag entirely, and PackageGate (CVE-2025-69263) demonstrated that a malicious .npmrc in a git dependency can override the git binary for full RCE even with the flag set. Behavioral detection is the structural answer; the flag is a partial control.
- Enforce 2FA and trusted publishing across all npm publishing accounts. The PyPI and NuGet malware decline data shows these controls reduce ecosystem volume by 40–60 percent.
- Apply CI runner egress filtering to block unexpected outbound connections. Tor, Solana RPC endpoints, ICP canister endpoints, and unconventional ports are the primary C2 channels in this corpus.
- Adopt pnpm 11+, which enforces a one-day minimum release age before installation — blocking same-day worm propagation.
- Screen IDE extensions before installation. Low download count, recent publication, no reviews, and no clear organizational publisher are the consistent signals across every malicious extension campaign.
Phoenix Security Recommendations
The throughline across all 59 documented campaigns is unchanged: zero CVEs during active exploitation, meaning CVE-based detection had no surface to work with across the entire dataset. Phoenix Security addresses the structural gap.
Behavioral scanning through PHX-Neural evaluates packages on install-time and runtime behavior rather than CVE presence, catching malicious packages before they appear in any advisory feed — as demonstrated by the nicegui detection at 100/100 with zero CVEs.
Contextual deduplication correlates findings across SCA, SBOM, and behavioral scanners into a single prioritized backlog. When a worm cascades through 300 namespaces, that does not produce 300 disconnected tickets.
Reachability analysis identifies which compromised components are actually loaded and executed in runtime environments, separating a package in a lockfile from one running on a credential-bearing CI runner. That distinction is operationally significant: a package in a transitive dependency graph that never executes on a production runner has a different remediation priority than one that fires on every CI build.
Remediation campaigns assign owners by affected service, track fixes, and verify runtime closure — turning an active worm into a bounded, auditable response rather than an unstructured incident. Attack surface management identifies internet-exposed services running affected components so the externally reachable instances get triaged first.
Phoenix correlates compromised packages with the runtime workloads executing them, assigns remediation ownership automatically, and verifies that the exposure has closed — shrinking a 59-campaign, multi-ecosystem threat into an owned remediation backlog.
External References
- Phoenix Security Malware Package Intelligence corpus — phxintel.security/package.html (live IOC feed; 657 indexed malicious packages across 59 campaigns)
- Sonatype, 2026 State of the Software Supply Chain: Open Source Malware — sonatype.com/state-of-the-software-supply-chain/2026/open-source-malware
- Sonatype, Open Source Malware Index Q3 2025 (34,319 packages; 140% QoQ) — sonatype.com/press-releases/open-source-malware-index-q3-2025
- Sonatype, Q2 2025 Open Source Malware Index (188% YoY) — sonatype.com/press-releases/q2-2025-open-source-malware-index
- ReversingLabs, 2026 Software Supply Chain Security Report — reversinglabs.com/press-releases/reversinglabs-2026-software-supply-chain-security-report
- ReversingLabs, VS Code malicious extension detections 27→105 — reversinglabs.com/blog/malicious-vs-code-fake-image (Dec 2025)
- Anthropic, Mapping AI-enabled cyber threats: Insights from the LLM ATT&CK Navigator — anthropic.com/news/AI-enabled-cyber-threats-mitre-attack (Jun 2026)
- Anthropic Frontier Red Team, LLM ATT&CK Navigator (interactive) — red.anthropic.com/2026/attack-navigator/
- StepSecurity, Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Repositories — stepsecurity.io/blog/megalodon-mass-github-actions-secret-exfiltration
- Socket Security, Laravel-Lang Supply Chain Attack — socket.dev (May 22, 2026)
- Socket Security, TrapDoor Supply Chain Attack (npm/PyPI/Crates.io) — socket.dev (May 2026)
- JFrog Security Research, IronWorm npm worm analysis — JFrog blog (Jun 2026)
- Wiz Research, TeamPCP Wave 4: @antv npm compromise and VS Code breach — Wiz blog (May 2026)
- StepSecurity, Bitwarden CLI Checkmarx supply chain compromise — stepsecurity.io (Apr 2026)
- Aikido Security, PyTorch Lightning PyPI Mini Shai-Hulud compromise — aikido.dev/blog (Apr 2026)
Verify flags: figures for download counts, attacker-created repository totals, and third-party detection tallies were captured during active campaigns and may have been revised by vendor reports published after this article’s date. The nrwl.angular-console@18.95.0 extension has not been formally named by GitHub as the specific extension on the compromised employee endpoint. Phantom Gyp bypass behavior against –ignore-scripts should be re-confirmed against the latest npm CLI version before citing in remediation guidance.
© 2026 Phoenix Security. All rights reserved. Reproduction or distribution of this report, in whole or in part, without prior written permission from Phoenix Security is prohibited.
