98% of Agents Carry the Lethal Trifecta. Last Week Showed Why.

Adversa's Q2 2026 AI Risk Quadrant Report, published June 3, found that 98% of production agent systems carry the "lethal trifecta" — access to private data, exposure to untrusted content, and the ability to take outbound actions on the same execution path — while only 11% qualify as adequately defended. The report identified tool execution as the primary driver of blast radius, accounting for 76% of variance across the cohort. The findings were demonstrated by the Miasma worm, which compromised npm packages and propagated through developer tool environments including Claude Code, Gemini CLI, and Cursor, harvesting credentials and exfiltrating data.

Adversa's Q2 2026 AI Risk Quadrant Report, published June 3, scored 100 production agent systems against three dimensions: attack surface, blast radius, and defenses. Two numbers worth holding. 98% of production agents carry the lethal trifecta — Simon Willison's framing https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/ for the combination of access to private data, exposure to untrusted content, and the ability to take outbound actions, on the same execution path. Only 11% qualify as adequately defended. The remaining 87% don't lack the trifecta. They've got it; they just haven't built around it. Tool execution alone explains 76% of blast-radius variance across the cohort. That's the headline finding. The capacity to act in the world — to write to APIs, push commits, install packages, send messages — is what converts an agent failure from a logged exception into an operational incident. The Miasma worm, first observed June 1 in compromised @redhat-cloud-services npm packages, was that 87% number expressed as an event. The campaign republished 96 versions across 32 packages with a preinstall payload that harvested AWS, GCP, and Azure credentials, Vault tokens, SSH keys, and .env files, then propagated itself through every package the victim's account had permission to publish. By June 5, a variant — "Phantom Gyp" — had reached Microsoft Azure's durabletask repository via a compromised contributor. The payload was 4.3 megabytes, wired to auto-execute inside Claude Code, Gemini CLI, Cursor, VS Code, and npm test . GitHub disabled 73 Microsoft repositories across four organizations in a 105-second sweep. Trace what happened to the AIRQ scorecard for the targeted environments: .env fileThree trifecta legs, on the same execution path, inside the developer's agent tool environment. The defense layer that was supposed to exist between "I installed a dependency" and "I am now exfiltrating credentials" did not. The thing AIRQ's measurement implies, and Miasma demonstrates, is that the trifecta's enforcement surface is no longer the application boundary. It is the developer's tool environment. A Cursor session, a Claude Code session, a Gemini CLI run — these are agent execution contexts with privileged access to the developer's local credentials, source tree, and outbound network. When a compromised npm package executes a preinstall hook inside that context, the trifecta closes on the agent environment, not on a deployed application. That changes what the defense layer has to do. Vendor-managed sandboxing of the LLM doesn't help, because the lethal capability — install a package, run npm test , execute a tool — is on the developer's machine, not in the model provider's data center. Token scoping doesn't help unless the scopes are tight enough to refuse credential reads from arbitrary preinstall hooks. Vault integration doesn't help if the agent environment can read environment variables on behalf of the user. The structural pattern the AIRQ report names is the application-layer trifecta. Miasma extended that pattern by one rung up the stack: the developer's tool environment now carries the same trifecta with strictly higher privileges. The 11%-adequately-defended threshold gets harder to clear at this layer, not easier. The trifecta moved up a layer. The enforcement surface moved with it. Defenses that survive when the agent environment is the enforcement surface have three properties. Admission-time gates, not post-hoc detection. A preinstall hook that reads credentials and exfiltrates them runs in seconds. Detection-based defense is the wrong tier. The gate has to sit at the layer that decides whether the hook runs at all. Capability scoping that survives the developer-trusts-the-tool assumption. The agent tool environment runs commands the developer authorized. The credential surface has to be narrow enough that "the developer authorized this" doesn't imply "the credentials are reachable." Identify-and-revoke posture for credential exposure , not credential rotation. When a hook has read .env and shipped the contents, the credentials are exposed regardless of whether they've been rotated since. The operational response is to identify the affected scopes and revoke their permissions, not generate new tokens for the same scopes. Miasma's design exploits the absence of all three. The preinstall hook ran at admission time because admission was uninstrumented. The credentials were reachable because tool-environment scoping is rare. The remediation guidance from most affected vendors named rotation as the response, which preserves the attacker's foothold across the rotation cycle. The agent-security-harness https://github.com/msaleme/red-team-blue-team-agent-fabric community plugin runtime and MCP server modules exercise the equivalent of preinstall-hook code paths inside MCP plugin loading: untrusted YAML, eval-injection patterns, file size caps, regex safety, delay caps. The community runner's plugin validator is the closest defensive analog the harness contains to what Miasma exploited at the npm layer. What the harness does not cover today, honestly: The AIRQ measurement is the right anchor for what the harness does measure: the application-layer trifecta defense gap. The Miasma case is the canonical example of why that gap matters at the layer immediately above. Sources