Phoenix Security — 59 supply-chain campaigns, zero CVEs, AI tooling as new attack surface

AI relevance: At least 14 of 59 documented supply chain campaigns now use AI agent configuration files (.cursorrules, CLAUDE.md, MCP server manifests) as persistence mechanisms — meaning AI coding assistants that load poisoned projects execute attacker instructions autonomously during normal workspace activity.

What happened

• Phoenix Security published a comprehensive analysis of 59 supply chain attack campaigns spanning June 2024 through June 2026, indexing 657 individual malicious package versions as scanner-ready IOCs.
• The corpus reveals a dramatic acceleration: 2026 H1 alone produced 37 campaigns and 497 packages — 2.6× the campaign count and 4.5× the package volume of all of 2025.
• May 2026 was the single busiest month on record: 14 campaigns, 346 indexed packages. A self-propagating worm event (Miasma lineage) generated 226 of those 346 packages alone.
• npm carries 79.3% of all malicious IOCs; ReversingLabs reports npm malware more than doubled in 2025 and now represents nearly 90% of all detected open-source malware.
• Zero CVEs were assigned across the entire 59-campaign corpus during active exploitation — CVE-feed scanners are blind to 100% of documented campaigns.
• The VS Code Marketplace went from near-zero malicious activity to 7 documented campaigns in 18 months, with detections nearly quadrupling (27 in 2024 → 105 in the first 10 months of 2025).

AI agent tooling as the newest frontier

• At least 14 campaigns use AI agent configuration as a delivery mechanism: .cursorrules poisoning, CLAUDE.md hidden instructions, MCP server injection, and AI coding assistant SessionStart hooks.
• The attack model is consistent: a developer opens a project or runs npm install, the AI assistant loads a poisoned skill or MCP server containing hidden instructions, and the assistant executes those instructions autonomously — exfiltrating credentials, modifying code, or establishing persistence.
• The attack surface is a trust assumption, not a code defect — no patch exists for a workflow design that grants agents implicit execution authority over developer environments.
• Threat actors include TeamPCP (UNC6780, 19 campaigns), the Shai-Hulud lineage (14 campaigns), DPRK clusters (9 campaigns), and the newly identified IronWorm (June 2026).

Why it matters

Supply chain attacks have industrialized. The combination of self-propagating worms (converting one stolen token into hundreds of poisoned packages) and AI agent configs (providing autonomous execution without user interaction) creates a compounding risk: every new poisoned package is also a potential agent hijacking vector. The zero-CVE pattern means traditional vulnerability scanners provide no protection — detection requires IOC-based package scanning, lockfile auditing, and agent configuration monitoring.

What to do

• Audit lockfiles against current IOC sets from Phoenix Security MPI and SafeDep threat intelligence.
• Rotate all credentials from any potentially affected install or CI run.
• Check AI agent configs: inspect .vscode/tasks.json, ~/.claude/settings.json, .cursorrules, CLAUDE.md, and .github/workflows/ for injected entries.
• Pin GitHub Actions to commit SHAs, not mutable tags.
• Scan for known patterns: grep -rn "binding.gyp" and grep -rn "Miasma: The Spreading Blight" across your repositories.
• Treat AI agent tooling as a supply chain surface: scan MCP server source, skill manifests, and agent config files with tools like NVIDIA SkillSpector or Trail of Bits' AI skill scanner.

Sources

• Phoenix Security — Supply chain acceleration report (59 campaigns, zero CVEs)
• SafeDep — Inside the Miasma toolkit analysis
• Rescana — Miasma worm and 73 disabled Microsoft repos