Contextualize Prioritize and ACT ON RISK
Login
Get Access
Demo

blog

The supply chain is under sustained attack. Phoenix Security launches Blue Shield to close the door

Blue Shield supply chain firewall: a luminous blue shield intercepts a compromised npm dependency node in a package graph, blocking the install path before malicious code reaches the agent, workstation, or CI/CD pipeline.

Malware now moves faster than advisories, targets the AI agents writing your code, and arrives with no CVE attached. Blue Shield blocks malicious packages and skills at the agent, the workstation, and CI/CD — one verdict, one intelligence backbone. Free core tier open today.

Media contact: Phil Moroni, Head of Sales & Press Distribution, Phoenix Security  ·  press@phoenix.security

Free core tier and intelligence portal: phxintel.security

Phoenix Security launches Blue Shield, a supply chain firewall that blocks malicious packages and AI agent skills at the point of install — with a free core tier

LONDON — June 14, 2026 — Phoenix Security today launched Blue Shield, a supply chain firewall built for a threat that has outrun the defenses most teams still rely on. Over the past year, software supply chain attacks have shifted from isolated incidents to sustained, self-propagating campaigns that arrive without a CVE, move faster than any advisory, and increasingly target the AI coding agents now writing a large share of production code. Blue Shield stops malicious packages and agent skills before they run, across the agent session, the developer workstation, and CI/CD. A free core tier is open to everyone today.

The problem: the supply chain is under sustained, accelerating attack

The flood is real, and it is self-propagating

September 2025 was the inflection point. The Shai-Hulud worm became the first self-replicating npm malware, and Palo Alto’s Unit 42 has since tracked a steady acceleration in both the frequency and technical depth of supply chain compromises, describing the registry as a force multiplier for malware distribution. What was once a nuisance is now a high-consequence threat landscape.

The pace since has been relentless, and each wave is documented by multiple independent vendors:

  • On May 19, 2026, a Mini Shai-Hulud wave attributed to the group TeamPCP published more than 300 malicious versions across 323 packages in a roughly 22-minute automated burst, hitting Alibaba’s AntV ecosystem and packages representing around 16 million weekly downloads (Snyk, StepSecurity).
  • By early June, a descendant named Miasma had infected at least 57 npm packages and over 300 malicious versions, scanning each victim for cloud credentials and using them to spread further.
  • On June 1, the same family backdoored at least 32 packages in Red Hat’s @redhat-cloud-services npm namespace, bypassing code review entirely (Unit 42).
  • In mid-May, after the Trivy scanner incident, TeamPCP open-sourced the worm — and copycats appeared within days, making attribution harder and the volume worse

GitHub’s own ecosystem data tells the same story from another angle: npm malware advisories rose 69% year over year in 2025, the highest volume since malware tracking began (reported via Resilient Cyber). Phoenix Security’s own intelligence corpus tracks 59 campaigns and 657 indexed malicious package versions from June 2024 through June 2026, with the first half of 2026 alone carrying roughly 4.5 times the malicious package volume of all of 2025.

Blue Shield supply chain firewall architecture showing three protected layers — AI Agent, Developer Workstation, and CI/CD Pipeline — blocking a compromised npm dependency node before it reaches production code. Phoenix Intelligence feed visible on the right panel.

The attack surface moved to the AI agent

This is the part most tools cannot see. Attackers no longer limit themselves to packages. They target the developer’s IDE extensions and the skills and configuration files that AI coding agents load and execute on their own. A poisoned VS Code extension, a malicious CLAUDE.md entry, a rogue MCP tool — each turns the developer’s own assistant into the thing exfiltrating secrets, without a single suspicious binary ever running.

Phoenix’s scanning bears this out: agent skills carry a markedly higher risk rate than IDE extensions, and more than one in four deep-scanned skills triggered a critical-risk finding. With AI now writing an estimated 30% to 41% of code at the largest engineering organisations, the agent is both the fastest-growing producer of code and the fastest-growing attack surface.

The system built to warn you has structurally fallen behind

Even when a flaw does merit a CVE, the advisory pipeline can no longer keep pace. In April 2026, NIST formally narrowed how it enriches the National Vulnerability Database, moving everything published before March 1, 2026 into a lowest-priority category it may never fully process. It cited a 263% rise in CVE submissions between 2020 and 2025 and enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year — while still falling behind (NIST). A May 2026 federal audit put the unprocessed backlog above 27,000 vulnerabilities, and FIRST has forecast that 2026 will be the first year to cross 50,000 published CVEs (reported via NowSecure and Infosecurity Magazine).

The structural truth
Across all 59 campaigns in Phoenix’s corpus, zero CVEs were assigned during active exploitation. These attacks are not code defects — they are abuses of trust: a maintained package, a trusted publisher, a legitimate CI identity. There is no flawed code path to assign a CVE to, and no advisory to wait for. A defence that begins with “wait for the advisory” has already lost.

And now the attacker has reasoning

The mythos-level shift is that frontier models compress the discovery-to-exploit cycle toward zero. Generation has become cheaper than interpretation: AI can find and weaponise a flaw in hours, while defensive review still assumes a human committing once a day. A handful of organisations have privileged access to the most capable frontier systems; everyone else defends on a limited budget against commodity models that are catching up fast. When attackers have reasoning, defenders need it too — but pointed at curated context, not the whole internet, or the economics never work.

The solution: Blue Shield

Blue Shield is the answer to a threat that does not announce itself. It does not wait for a CVE. It decides what a package or skill actually does — behaviourally — and blocks it at the moment of install, everywhere an install can happen.

Behavioural, not a blocklist

A blocklist only knows what is already known to be bad. Blue Shield reads behaviour: does this package reach for credentials, call out to infrastructure tied to a known campaign, drop an install hook, or carry a payload that fires on startup? Findings map to MITRE ATT&CK, and the verdict is explainable rather than a single opaque score. This is what lets it catch a fresh package from a campaign it has seen before, the day it is published, with no advisory in existence.

One verdict, every layer a package or skill enters

There is no single chokepoint that works. An install inside an agent skips your CI. A manual install on a laptop skips the agent. A poisoned skill never touches a package file. Blue Shield places a check at each layer and feeds them all from one intelligence backbone, Phoenix Blue, so a verdict made in one place holds in the others.

LayerWhat Blue Shield does there
AI agentChecks every install the agent proposes before it runs. Tells the agent which version is safe and which is not, or blocks it — and routes genuine cases to a human. Critical when agents run autonomously or in a crowd.
Developer workstationProtects against malicious packages and compromised skills installed locally, including installs that never involve an agent.
CI/CD pipelineBlocks malicious packages as they move through the build, or decorates the pull request to flag which package should and should not be used.

Blue Shield monitors across the package managers and systems attackers actually use — npm, PyPI, Maven, plus GitHub and Jenkins — and refreshes its intelligence continuously, so each verdict reflects where a package and its risk stand right now.

Supply chain attack kill chain diagram — five stages from publisher compromise to lateral spread. Blue Shield's behavioural verdict intercepts at the point of install, before credential theft or lateral movement occurs. MITRE ATT&CK technique mapping shown below the timeline.

Endpoint monitoring and heartbeat

Blocking is half the job; you also need to know what you are running and whether your protection is alive. Blue Shield keeps a live inventory of every endpoint under its watch and a heartbeat from each collector, so the platform is the source of truth for what is installed and what is protected.

  • See every endpoint — workstations, CI runners, and agent sessions in one view, with which are active and which have gone quiet.
  • Know what’s on them — the packages, agent skills, and IDE or VS Code extensions per endpoint, with the risky ones flagged.
  • Heartbeat and health — each collector reports in, so you can tell whether an endpoint is protected or has drifted. Each endpoint resolves to one stable identity, so the workstation and agent collectors on the same machine show as one endpoint, not two.
Blue Shield endpoint monitoring dashboard showing workstations, CI runners, and an AI agent session under active protection. One agent session shows a critical-risk skill flagged for human review, with MITRE ATT&CK technique mapping and a route-to-human action control.

The human stays in control

When an agent works on its own, someone still needs to be able to step in. Blue Shield gives the agent a clear signal and routes real decisions to a person to approve, with the package’s behaviour and campaign context attached. The AI assists the decision. It never replaces the engineer, and every block is reviewable.

Free for the core tier, today

Phoenix has opened the core of Blue Shield, and the intelligence behind it, to everyone — because this is hitting teams who are doing everything right.

  • Free core tier: protect your workstation, your pipeline, and your agents, starting today.
  • Free intelligence: check any package and read the malware intelligence behind every verdict at phxintel.security — no account required.
  • Paid tiers: Professional and Enterprise add higher limits and advanced controls for teams that need them.

From Phoenix Security

“The attacks now move faster than the advisories meant to warn you, and they have moved onto the agents writing our code. We have watched the best-run organisations get hit through a package they trusted. So we built Blue Shield to decide what something does before it runs, and we opened the core tier and the intelligence to everyone — free — because cost should not be the reason a team goes unprotected. Don’t be afraid of this new wave. Go and protect your endpoints today.”— Francesco Cipollone, CEO and Co-Founder, Phoenix Security

About Phoenix Security

Phoenix Security is an Actionable ASPM platform. It connects vulnerabilities from code to cloud, points each one at the team that owns the fix, and turns scattered findings into a single prioritized backlog. Blue Shield extends that to the supply chain, blocking malicious packages and skills at the agent, the workstation, and CI/CD, with endpoint monitoring across all three. The AI works alongside engineers, never in place of them — every block and every fix is something a person can review and approve.

Learn more at phoenix.security and phxintel.security. This is Blue Shield. Stay safe.

Selected sources

NIST NVD operations update (Apr 2026); Unit 42 npm threat landscape (Jun 2026); Snyk and StepSecurity Mini Shai-Hulud / AntV analyses (May 2026); SecurityWeek Miasma coverage (Jun 2026); Sonatype 2026 State of the Software Supply Chain; NowSecure and Infosecurity Magazine on the NVD backlog; Phoenix Security Malware Package Intelligence corpus.

Picture of Francesco Cipollone

Francesco Cipollone

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.
17th June 2026
Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

Join Slack community
Linkedin-in Youtube Facebook-f Twitter Instagram

From our Blog

Blue Shield supply chain firewall: a luminous blue shield intercepts a compromised npm dependency node in a package graph, blocking the install path before malicious code reaches the agent, workstation, or CI/CD pipeline.
  • 17th June 2026

The supply chain is under sustained attack. Phoenix Security launches Blue Shield to close the door

Phoenix Security has launched Blue Shield, a behavioural supply chain firewall that blocks malicious packages and AI agent skills at the point of install — across the developer workstation, CI/CD pipeline, and agent session. Built on the Phoenix Blue intelligence backbone, which has tracked 59 campaigns and 657 malicious package versions since June 2024 with zero CVEs assigned during active exploitation, Blue Shield’s free core tier is open today at phxintel.security
Francesco Cipollone
  • 10th June 2026

Miasma Worm Reaches Microsoft Azure and PyPI: 73 Repositories Disabled, Hades Wave Drops 37 Malicious Python Wheels

The Miasma worm crossed two new boundaries in 48 hours: GitHub’s automated enforcement disabled 73 Microsoft repositories in 105 seconds after AI coding agent hooks were planted in Azure/durabletask, then 37 malicious PyPI wheels hit 19 packages with .pth startup hooks that steal credentials on every Python invocation. 448 total artifacts tracked. Zero CVEs assigned across the entire campaign.
Marcus Webb
  • 8th June 2026

The Acceleration: How Supply Chain Attacks Went Industrial Across npm, PyPI, VS Code, and AI Agent Tooling

Phoenix Security’s Malware Package Intelligence corpus documents 59 supply chain campaigns and 657 malicious package IOCs across npm, PyPI, VS Code, and AI agent tooling from June 2024 through June 2026. The first half of 2026 alone produced 4.5 times the package volume of all 2025 — driven by self-propagating worms, AI assistant config poisoning, and a compiled Rust implant with an eBPF rootkit. Every single campaign: zero CVEs assigned during active exploitation.
Francesco Cipollone
IronWorm npm supply chain worm: Rust implant, eBPF rootkit, Tor C2, 37 packages, no CVE
  • 4th June 2026

IronWorm (No CVE): Rust-Built npm Worm Ships an eBPF Rootkit, Tor C2, and a Self-Propagating Supply Chain Implant Across 37 Packages

IronWorm is a Rust-built npm supply chain worm that distributed a 976 KB eBPF rootkit and Tor C2 across 37 packages from a single compromised account, with no CVE assigned. It uses npm’s own Trusted Publishing OIDC flow to mint publish credentials from CI runners and self-replicate. CVE-based scanners had zero detection surface at the point of compromise.
Daniel Reeves

3 critical zero-days. 1 exploit chain. Claude Code. Phoenix Security found what Anthropic missed →

Contents

Contents
Derek

Derek Fisher

Linkedin

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Linkedin

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Linkedin

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Linkedin

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Linkedin

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Linkedin

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
Protected By
Shield Security PRO