Cloud-Native Digest is your monthly overview of all things open-source, supply chain security, and more ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­    ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­  
View in browser
DIGEST_Newsletter-Banner_10

Edition: June 2026

Brought to you by Nigel Douglas, Head of Developer Relations at Cloudsmith

 

June 2026 has been a wild month for software devs. SpaceX just closed the largest startup acquisition in history (grabbing Cursor for a casual $60B), major security overhauls arrived for npm and Packagist, and AI-fueled supply chain worms like Miasma and Shai-Hulud kept hammering dev environments. The good news? Coordinated defense is finally catching up – with new coalitions like Akrites and Athena, plus tools like Scrutineer and NVIDIA's SkillSpector helping devs shoulder the security burdens AI keeps introducing. The line between writing code and defending it has officially vanished.

 

Grab a coffee. There's a lot to unpack.

Read the full June digest on cloudsmith.com

JUNE 2026 

 

Three stories you can't afford to miss

We tracked dozens of stories in June. Here are the three we think are most noteworthy.

1. SpaceX just bought Cursor for $60 billion – the largest startup acquisition in history
In an all-stock deal, SpaceX has acquired Anysphere (Cursor's parent company) for $60 billion, folding Cursor's AI coding capabilities and enormous developer base into Elon Musk's xAI and Grok. Days later, Cursor quietly acquired Continue – the 34,000-star open-source Copilot alternative – winding down its proprietary services and giving users until July 15th to export their data. AI dev tooling just got a lot more consolidated.

Read the full deal breakdown →

 

2. The Miasma worm hit Red Hat and 73 Microsoft GitHub repos
Rooted in the TeamPCP threat group, Miasma is a self-replicating worm that hijacked legitimate developer credentials to acquire OIDC tokens and valid SLSA provenance attestations – letting it walk right past conventional scanners. It infiltrated Red Hat's npm namespace and 73 Microsoft repos (including core Azure and Durable Task tools), then weaponized Claude Code and other AI coding tools to execute the moment infected repos were opened. If your team leans on AI coding assistants (they do), this is the attack pattern to understand.

See how Miasma spreads →

 

3. A fake AI agent skill fooled 26,000 agents – and passed every security scanner
To prove a point about AI agent security, researchers at AIR deployed a deceptive AI skill that bypassed multiple scanners, inherited 36,000 GitHub stars by merging into a legitimate repo, and reached roughly 26,000 agents (including corporate accounts) via targeted Instagram ads. The trick: link to legitimate documentation during review, then swap the destination for a data-collecting payload after the scans passed. This is exactly why NVIDIA just open-sourced SkillSpector.

Read the full experiment →

Want every incident, advisory and news item?

The full June digest covers every supply chain incident we tracked this month – Mastra, the Shai-Hulud copycat targeting PyPI, macOS. Gaslight's prompt-injection backdoor, and more – plus the news roundup: Packagist's ecosystem-wide malware blocking, the Rust Foundation Maintainers Fund, npm v12's stricter install defaults, Python 3.15 beta 2, Kubernetes' new AI policy for maintainers, Athena's 2,000 patches across 500 projects, and the launch of the Akrites coalition.

Read the full June Cloud-Native Digest on cloudsmith.com →

📚 Bonus reading: NVIDIA just open-sourced SkillSpector, a security scanner for AI agent skills. Given that roughly 1 in 4 public skills contain vulnerabilities, it's a must-read if your team is deploying agents.


🆕  Where does your supply chain security actually stand? Take our free Artifact Security Maturity Assessment → and find out where the gaps are before an attacker does. 

 

Signed, sealed and delivered – see you next issue.

Nigel Douglas

Nigel Douglas

Head of Developer Relations

Cloudsmith

Cloudsmith, 7 Donegall Square West, Belfast, Northern Ireland BT1 6JH

Unsubscribe Manage preferences

LinkedIn
X
Website