Three Campaigns, Zero CVEs
Since June 1, 2026, three coordinated supply chain campaigns have been documented by SecurityWeek and Phoenix Security. Shai-Hulud compromised 57+ npm packages. Miasma backdoored 32 @redhat-cloud-services npm packages. Hades injected malicious code into 19+ PyPI packages. Combined, over 100 packages across the two largest package ecosystems have been weaponized in a single month.
None of them have CVE identifiers. Not one. No NVD entry. No CVSS score. No EPSS prediction. No CISA KEV listing. The entire vulnerability tracking infrastructure — the system that CISOs and security teams depend on to know what to patch — has no record that these attacks exist.
The Payload
The attack payload across all three campaigns follows an established pattern: malicious code is injected into the preinstall or postinstall hooks of npm packages, or into the setup.py of PyPI packages. When a developer runs npm install or pip install, the payload executes before the application code ever runs. The Shai-Hulud variant delivers a 4.2MB obfuscated binary. The campaigns pivot their delivery infrastructure every 48 to 72 hours, staying ahead of blocklists.
For organizations using any of the compromised packages — and the @redhat-cloud-services scope suggests enterprise targets — the attack surface is not the web application. It is the developer's machine, the CI/CD pipeline, and the build server. The backdoor runs with the privileges of whoever executed the install command.
Why the CVE System Cannot Keep Up
The CVE system was designed for vulnerabilities in software products — a bug in Apache, a flaw in OpenSSL, a weakness in WordPress. Supply chain attacks do not fit this model. The compromised package is not defective; it has been replaced by a malicious copy. There is no vendor to notify, no patch to issue, no version number to update to. The package is simply removed from the registry and — if the maintainer's account is recovered — republished clean.
This creates a fundamental gap. WebPulse tracks 18,335 WordPress CVEs, 294 Django CVEs, 137 Rails CVEs. These numbers represent the vulnerabilities the system can see. The 100+ compromised packages from June 2026 represent the ones it cannot. Any security posture that relies exclusively on CVE-based scanning is blind to the fastest-growing attack vector in software.
The Framework Dependency Chain
Every modern web framework is a dependency tree. A Next.js application installs 200+ npm packages. A Django project pulls 30+ PyPI packages. A Laravel project loads 50+ Composer packages. Each package in that tree is a potential supply chain target. The Miasma campaign specifically targeted @redhat-cloud-services — scoped packages that appear in enterprise internal tooling, not in public-facing applications.
For CISOs evaluating framework risk, this introduces a dimension that WebPulse scores cannot yet fully capture: the depth and governance of the dependency tree. A framework with zero CVEs but 300 transitive dependencies is not necessarily safer than a framework with 50 CVEs and 20 well-audited dependencies. The supply chain campaigns of June 2026 make this tradeoff measurable. The question is no longer how many vulnerabilities your framework has. It is how many of your dependencies have been verified — and by whom.
