The Promise
SLSA — Supply-chain Levels for Software Artifacts — is Google's framework for ensuring software supply chain integrity. It provides provenance attestations: cryptographic proof of where a package was built, by whom, and with what inputs. SLSA was the industry's answer to SolarWinds, Log4Shell, and the growing wave of supply chain attacks. It was supposed to make forged packages impossible.
Miasma forged it.
The Attack
On June 1, 2026, Wiz Research disclosed that 32 packages under @redhat-cloud-services — Red Hat's official npm scope — had been compromised with 90+ malicious versions. The packages contained a credential-stealing worm targeting GitHub tokens, npm tokens, AWS, Azure, and GCP credentials. The worm self-propagated: stolen credentials were used to compromise additional packages, expanding the blast radius automatically.
The critical detail: the malicious versions carried forged SLSA provenance attestations. To any verification tool checking SLSA compliance, these packages looked legitimate. Built by the right CI/CD pipeline. Signed by the right keys. Provenance verified. Content: malware.
Then It Got Worse
Two days after the Red Hat compromise, Miasma Wave 2 introduced a second evasion: Phantom Gyp. Instead of preinstall/postinstall hooks — which security tools now monitor — the attacker drops a 157-byte binding.gyp file. Node's native module build system (node-gyp) uses gyp's command substitution syntax to execute arbitrary code during npm install. No lifecycle scripts. No hooks. The security scanners watching for malicious install scripts see nothing. 57 more packages compromised in under two hours, including @vapi-ai/server-sdk (408,000+ monthly downloads).
On June 5, Miasma abandoned package registries entirely. The worm planted .mcp.json and IDE configuration files in Azure GitHub repositories. When developers opened the repo in Claude Code or Cursor, the payload executed. GitHub disabled 73 Microsoft repos in 105 seconds. The supply chain attack had evolved past the supply chain.
Why This Breaks the Model
The security industry's response to supply chain attacks has followed a pattern: verify provenance, pin versions, audit dependencies. SLSA was the capstone — if you can cryptographically verify where a package came from, you can trust it. Miasma proved that provenance verification is necessary but not sufficient. If the build pipeline itself is compromised, SLSA attestations authenticate the attacker's output.
This is not a theoretical weakness. It's a demonstrated bypass of the most advanced supply chain integrity framework deployed at scale — followed by a demonstrated bypass of the lifecycle script scanners meant to catch what SLSA missed — followed by an abandonment of package registries entirely. Three layers of defense, three evasions, nine days.
The Framework Implication
WebPulse tracks 25 frameworks across 466,000+ sites. Every JavaScript framework depends on npm. The security advice for npm dependency management has evolved from 'run npm audit' to 'verify SLSA provenance.' Miasma shows that even the most rigorous verification can be defeated when the attacker controls the build pipeline.
The only reliable defense against supply chain attacks that forge provenance is architectural: minimize the supply chain itself. Hugo's zero-dependency model eliminates the attack surface entirely — there are no npm packages to verify, forge, or trojanize. Django and Flask's pip ecosystem has been less targeted but faces the same structural vulnerability. The shortest supply chain is the safest supply chain.
When even the gold standard for supply chain verification can be forged, the question isn't how to better verify your 800 npm dependencies. It's why you have 800 dependencies.
