Opening a repo in Claude Code can execute a backdoor. No npm install. No click. No warning. The supply chain learned to rewrite your AI agent''s instructions — and two worms in June 2026 changed the attack surface forever. We analyzed Miasma and IronWorm in technical detail, and the picture is clear: the AI agent instruction layer is the new attack surface.
Miasma: the worm that infects the agent, not just the code
Miasma operated in three coordinated waves in June 2026, each more sophisticated than the last.
Wave 1 — June 1: 32 packages via preinstall hook
According to Wiz Research and Microsoft Defender, 32 packages under the @redhat-cloud-services scope were compromised via a Red Hat employee''s GitHub account. The attacker pushed orphan commits (no parents, only workflow + dropper) and deleted the branch. Provenance points to refs/heads/oidc-2530ec68 — a branch that now returns 404. The commit survives only because Git retains unreferenced objects.
Wave 2 — June 3-4: 57 packages, 286+ versions, Phantom Gyp
According to StepSecurity and Snyk (classification: critical), 57 npm packages were compromised across 286+ malicious versions in under 2 hours. The novel technique: Phantom Gyp. Instead of preinstall/postinstall in package.json — where every security tool looks — the malware places a 157-byte binding.gyp at the package root. When npm sees binding.gyp without a pre-compiled binary, it automatically runs node-gyp rebuild. The mechanism: <!(node index.js > /dev/null 2>&1 && echo stub.c) — gyp command substitution runs the payload silently. Scanners that only read package.json see nothing. Legitimate code in dist/ remains intact.
The first victim: @vapi-ai/server-sdk (official Vapi.ai SDK, 408K+ monthly downloads), at 23:30 UTC. Then ai-sdk-ollama (120K+). Then 25 autotel-* packages (the worm republished everything a compromised account could reach).
The payload has 4 stages: binding.gyp triggers node-gyp rebuild, bootstrap loader executes, 668 KB obfuscated blob (obfuscator.io, table of 2,306 encrypted strings), decoded strings reveal credential theft (npm, GitHub, AWS, GCP, Azure, Vault, K8s, CircleCI), AI paths, anti-EDR logic, and worm propagation.
Wave 3 — June 5: 73 Microsoft repositories compromised
According to GitHub, 73 Microsoft repositories were compromised — including Azure, Azure-Samples, MicrosoftDocs, and azure-search-openai-demo. GitHub disabled all of them in 105 seconds. The propagation speed via npm OIDC makes manual response impossible.
The exploit: configs that hijack the agent
Miasma drops malicious configurations into four AI agent files:
- .claude/settings.json: SessionStart hook — executes automatically when opening Claude Code
- .cursor/rules/setup.mdc: alwaysApply: true — the AI follows injected instructions without questioning
- .gemini/settings.json: executes automatically in Gemini CLI
- .vscode/tasks.json: folderOpen — depends on VS Code workspace trust
According to Ossprey, 13 tools were affected: Claude Code, Codex, Gemini CLI, Copilot, Kiro, OpenCode, Cline, Aider, Tabby, Amazon Q, Cody, Bolt, and Continue.
Propagation and destructive tripwire
Miasma''s auto-propagation engine: validates stolen npm token via /-/whoami, enumerates ALL maintainer packages via /-/v1/search?text=maintainer:{username}, swaps OIDC token, downloads the package and injects binding.gyp + obfuscated index.js, requests certificate from Fulcio, creates Rekor entry, generates SLSA v1 attestation, publishes signed tarball as a new version. Also propagates via RubyGems and GitHub.
The fatal blow: npm audit signatures PASSES the malware. Every malicious package carries valid, signed SLSA provenance. The certificate is accurate. The package was genuinely built by that pipeline — except it had malware injected. According to Leitwacht: "Provenance proves where a build came from; it says nothing about what the build does."
C2 via GitHub itself. Destructive tripwire: honeytoken that triggers rm -rf if revoked.
IronWorm: eBPF rootkit that makes processes invisible
According to JFrog Security Research, IronWorm was discovered on June 3. It is a 976KB ELF binary compiled in Rust with an embedded eBPF rootkit. With 32,177 combined monthly downloads.
Real-time invisibility
IronWorm rewrites /proc entries in real time. Hidden processes become invisible to ps, top, and ls. Each execve is checked against a watchlist and auto-added to the hidden set. ptrace receives SIGKILL — strace kills your shell. Network hiding via /proc/net/tcp rewrite.
The limitation: on systems with kernel lockdown, the BPF helper fails and hidden processes reappear. This means kernel lockdown protection is partially effective, but does not replace active monitoring.
Mass credential harvesting
IronWorm harvests 86 environment variables including 14 AI API keys: Anthropic, OpenAI, Gemini, Cohere, Mistral, Groq, Perplexity, and xAI. It also targets:
- ~/.claude/.credentials.json, ~/.codex/auth.json, ~/Cursor/auth.json
- ~/.aws/credentials, ~/.kube/config, ~/.npmrc
- ~/.ssh/, browser keystores
- Exodus wallet — weakens Electron sandboxing to capture mnemonic seed
Propagation via forged identities
Propagation via npm Trusted Publishing OIDC, commits with bot identities (dependabot, renovate), forged author as [email protected]. The Shai-Hulud line of supply chain worms: Sep/2025 (1.0), Nov/2025 (2.0), Apr/2026 (Mini: SAP, PyTorch Lightning, Intercom), May/2026 (Wave 4: TanStack 42 packages, Mistral AI, UiPath, OpenSearch, 170+ packages across npm and PyPI), May 12 (TeamPCP open-sourced the worm), May 19 (atool: 639 versions across 323 packages in ONE HOUR), Jun 1 (Miasma/Red Hat), Jun 3 (Phantom Gyp).
The new attack surface: your instruction files are trust boundaries
The attack surface has changed. Your .claude/settings.json is a trust boundary. Your .cursor/rules is a trust boundary. If you build with AI agents, your package.json is no longer the only config that can compromise you.
Miasma proved that SLSA provenance protects nothing — every malicious package carried valid provenance. IronWorm proved that eBPF rootkits can make processes invisible in production. Together, they show that the AI supply chain has two attack layers: the code the agent executes and the instructions the agent follows.
Immediate remediation: pin known versions. Run npm install --ignore-scripts. Rotate credentials. Do not trust a clean latest tag — malicious versions remain in the registry. Cooldown for newly published packages. And above all: treat AI agent configuration files with the same rigor as SSH keys and AWS credentials.
Conclusion
Who protects the instructions your AI follows? That is the question Miasma and IronWorm leave in the air. The supply chain evolved from attacking dependencies to attacking the AI agent instruction layer — and most security tools still only look at package.json. At Tech86, we help companies map this new attack surface, implement eBPF monitoring, and establish trust boundaries for agent instruction files. If you build with AI, you need to protect not just the code — but the instructions your agent follows.