The Miasma Worm needs no CVE. It exploits no vulnerability in code. It abuses the trust infrastructure we built to protect ourselves — and it works exactly as designed. At Tech86, we watched in real time as seven days of coordinated attacks turned SLSA, Sigstore, and legitimate credentials into vectors for mass compromise. The result: over 400 artifacts tracked across npm and PyPI by security researchers, and zero CVEs assigned as of this writing.
7 days, 4 simultaneous delivery surfaces
The Miasma Worm operated across four parallel fronts between June 1 and June 7, 2026, per security researchers who tracked the incident. Each front exploited a different trust vector — and each one passed the verifications designed to catch it.
On June 1, dozens of @redhat-cloud-services packages on npm were published with malicious preinstall hooks. Per npm data, tens of thousands of weekly downloads were affected. The stolen OIDC tokens from GitHub Actions passed SLSA provenance verification via Sigstore, Fulcio, and Rekor. The packages pass npm audit signatures — because the signatures are genuine.
On June 4, 57 npm packages used binding.gyp — native compilation that bypasses script monitoring tools. Including @vapi-ai/server-sdk, with hundreds of thousands of monthly downloads per npm statistics. In total, hundreds of thousands of monthly downloads affected, per security researchers who tracked the incident.
On June 5, a malicious commit in the Azure/durabletask repository on GitHub triggered when developers opened the repository in AI agents like Claude Code, Gemini CLI, Cursor, or VS Code. No npm install. No build. Opened, executed. Per security reports, GitHub reportedly disabled dozens of Microsoft repositories within minutes. Azure/functions-action went offline, and every CI/CD pipeline referencing Azure/functions-action@v1 broke globally.
On June 7, dozens of PyPI wheels across 19 packages used .pth startup hooks — a variant dubbed Hades. The code executes on every Python interpreter startup, regardless of which package was imported.
What Miasma steals — and why this does not end
Miasma's exfiltration scope is comprehensive: AWS, Azure, GCP, Kubernetes, HashiCorp Vault, GitHub, and npm credentials, SSH keys, and browser data. Per security researchers who tracked the incident, the toolkit source code was published as open source on June 9 — meaning derivative campaigns are virtually guaranteed.
One detail illustrates the severity: the same contributor account compromised in May on PyPI (during the durabletask incident) was reused in June, per security reports. Credentials were never fully rotated. The attacker reused access that should have been revoked.
Trust infrastructure worked — and that is the problem
The most disturbing aspect of the Miasma Worm is that provenance infrastructure worked exactly as designed. The problem is that the attacker used legitimate credentials to attest malicious code as trusted. Signature verification does not detect this because the signatures are genuine. SLSA confirms the package came from where it claims — but does not encode what was inside.
At Tech86, this is the central lesson we draw: provenance is not security. It is provenance. As long as the industry treats origin attestation as a security guarantee, attackers will keep using our own trust infrastructure against us. The Miasma Worm is the operational proof.
The convergence nobody expected
The Miasma Worm is not an isolated attack. It is the operational convergence of three patterns the security community had been observing separately: worm-type self-replication, agent autonomy, and supply chain compromise. Until now, each pattern had been documented independently — an experimental worm, an autonomous agent, isolated vulnerabilities in supply chains. Miasma is all of these operating together, in a single production attack, across four simultaneous delivery surfaces.
This convergence changes the threat model. Protecting the supply chain alone is not enough. Monitoring AI agents alone is not enough. Auditing packages alone is not enough. You must protect all three vectors simultaneously, because the next Miasma will operate the same way — and likely across more surfaces.
What changes from here
At Tech86, our conclusion is direct: traditional perimeter defense does not reach attacks that abuse trust infrastructure. WAF blocks malicious traffic at the edge, but it does not intercept an npm install whose package has a valid signature and verified SLSA provenance. Miasma enters with legitimate credentials and genuine signatures — not through the front door. That is why our Offensive Security combines pipeline integrity monitoring, package behavior verification in production, and proactive hunting for supply chain vectors — because today's attack infiltrates where the infrastructure trusts, not where the perimeter watches.
Your npm audit signatures passes. Your SLSA verifies. Your CI/CD trusts. And the attacker is inside.