Adversa's Q2 2026 AI Risk Quadrant Report, published June 3, scored 100 production agent systems against three dimensions: attack surface, blast radius, and defenses. Two numbers worth holding.
98% of production agents carry the lethal trifecta — Simon Willison's framing for the combination of access to private data, exposure to untrusted content, and the ability to take outbound actions, on the same execution path.
Only 11% qualify as adequately defended.
The remaining 87% don't lack the trifecta. They've got it; they just haven't built around it.
Tool execution alone explains 76% of blast-radius variance across the cohort. That's the headline finding. The capacity to act in the world — to write to APIs, push commits, install packages, send messages — is what converts an agent failure from a logged exception into an operational incident.
What an unbounded trifecta looks like in production
The Miasma worm, first observed June 1 in compromised @redhat-cloud-services npm packages, was that 87% number expressed as an event. The campaign republished 96 versions across 32 packages with a preinstall payload that harvested AWS, GCP, and Azure credentials, Vault tokens, SSH keys, and .env files, then propagated itself through every package the victim's account had permission to publish.
By June 5, a variant — "Phantom Gyp" — had reached Microsoft Azure's durabletask repository via a compromised contributor. The payload was 4.3 megabytes, wired to auto-execute inside Claude Code, Gemini CLI, Cursor, VS Code, and npm test. GitHub disabled 73 Microsoft repositories across four organizations in a 105-second sweep.
Trace what happened to the AIRQ scorecard for the targeted environments:
-
Private data: cloud provider credentials, SSH keys, source-controlled secrets — the entire
.envfile - Untrusted content: a package update from a compromised maintainer account
- Outbound action: the preinstall hook running with the developer's local privileges, including outbound HTTP for exfiltration and write access to every package the developer could publish
Three trifecta legs, on the same execution path, inside the developer's agent tool environment. The defense layer that was supposed to exist between "I installed a dependency" and "I am now exfiltrating credentials" did not.
The agent dev environment is the enforcement surface
The thing AIRQ's measurement implies, and Miasma demonstrates, is that the trifecta's enforcement surface is no longer the application boundary. It is the developer's tool environment.
A Cursor session, a Claude Code session, a Gemini CLI run — these are agent execution contexts with privileged access to the developer's local credentials, source tree, and outbound network. When a compromised npm package executes a preinstall hook inside that context, the trifecta closes on the agent environment, not on a deployed application.
That changes what the defense layer has to do. Vendor-managed sandboxing of the LLM doesn't help, because the lethal capability — install a package, run npm test, execute a tool — is on the developer's machine, not in the model provider's data center. Token scoping doesn't help unless the scopes are tight enough to refuse credential reads from arbitrary preinstall hooks. Vault integration doesn't help if the agent environment can read environment variables on behalf of the user.
The structural pattern the AIRQ report names is the application-layer trifecta. Miasma extended that pattern by one rung up the stack: the developer's tool environment now carries the same trifecta with strictly higher privileges. The 11%-adequately-defended threshold gets harder to clear at this layer, not easier.
The trifecta moved up a layer. The enforcement surface moved with it.
What the structural defense actually looks like
Defenses that survive when the agent environment is the enforcement surface have three properties.
Admission-time gates, not post-hoc detection. A preinstall hook that reads credentials and exfiltrates them runs in seconds. Detection-based defense is the wrong tier. The gate has to sit at the layer that decides whether the hook runs at all.
Capability scoping that survives the developer-trusts-the-tool assumption. The agent tool environment runs commands the developer authorized. The credential surface has to be narrow enough that "the developer authorized this" doesn't imply "the credentials are reachable."
Identify-and-revoke posture for credential exposure, not credential rotation. When a hook has read .env and shipped the contents, the credentials are exposed regardless of whether they've been rotated since. The operational response is to identify the affected scopes and revoke their permissions, not generate new tokens for the same scopes.
Miasma's design exploits the absence of all three. The preinstall hook ran at admission time because admission was uninstrumented. The credentials were reachable because tool-environment scoping is rare. The remediation guidance from most affected vendors named rotation as the response, which preserves the attacker's foothold across the rotation cycle.
What the harness covers, what it doesn't
The agent-security-harness community plugin runtime and MCP server modules exercise the equivalent of preinstall-hook code paths inside MCP plugin loading: untrusted YAML, eval-injection patterns, file size caps, regex safety, delay caps. The community runner's plugin validator is the closest defensive analog the harness contains to what Miasma exploited at the npm layer.
What the harness does not cover today, honestly:
- The npm preinstall-hook surface itself — that is an upstream package-manager attack vector, not an MCP or A2A protocol attack
- The Claude Code / Cursor / Gemini CLI agent tool environment as a measured execution context — these are vendor-managed sandboxes the harness does not directly probe
- Cross-package contributor-account-compromise propagation — that is a registry-governance question, not an agent-protocol-runtime question
The AIRQ measurement is the right anchor for what the harness does measure: the application-layer trifecta defense gap. The Miasma case is the canonical example of why that gap matters at the layer immediately above.
Sources
- Adversa AIRQ Q2 2026 Report
- Help Net Security — AI agent security capability research
- The Hacker News — Miasma supply-chain attack on Red Hat npm
- Microsoft Security Blog — Preinstall persistence inside Red Hat npm
- The Hacker News — Miasma "Phantom Gyp" variant hits 73 Microsoft repos
- Simon Willison — The Lethal Trifecta for AI Agents
Top comments (0)