How did the Miasma Worm use AI coding tools to spread?

The worm injected configuration files into compromised Microsoft GitHub repositories that targeted five specific AI coding environments: Claude Code (via CLAUDE.md), Gemini CLI, Cursor Agent CLI, VS Code, and npm. When a developer opened an affected repository in any of these tools, the configuration file triggered execution of the credential-harvesting payload with the developer's own session permissions. The attack exploited exactly the same trust model that the SymJack research had documented weeks earlier — AI coding tools automatically process project configuration files without clearly communicating what those files will execute.

What credentials did the Miasma Worm harvest?

The credential harvester targeted authentication tokens, cloud platform credentials, and developer tool session tokens across AWS, Azure, GCP, Kubernetes, npm, GitHub, and over 90 developer tool configurations. For developers who opened affected repositories in AI coding tools, anything accessible via their active shell session was in scope — including cloud provider CLI auth, container registry tokens, CI/CD service credentials, and any secrets stored in dotfiles or environment variables.

How did the attacker gain initial access to Microsoft's GitHub repositories?

The attacker used a stolen Microsoft contributor Personal Access Token to push malicious commits directly to the affected repositories. The PAT was likely obtained through an earlier stage of the campaign — the same infrastructure and account were linked to a May 2026 operation dubbed Mini Shai-Hulud, suggesting the PAT was compromised before the main June attack wave. The binding.gyp files in the npm wave also served as credential harvesters, potentially feeding the pipeline for subsequent attacks.

Why did three waves of attacks go undetected before the June 5 GitHub takedown?

Each wave used a different execution mechanism designed to blend with legitimate developer workflows. The Wave 1 npm preinstall hooks blend with package installation. The Wave 2 binding.gyp files execute through the node-gyp native build pipeline, which security monitoring typically treats as a trusted system operation rather than a potentially malicious script. The Wave 3 GitHub repo commits required a developer to open the repo in an AI coding tool — a user action that looks indistinguishable from normal development activity. None of the execution vectors triggered standard malware signatures.

Incident Report: Miasma Worm Hits 73 Microsoft GitHub Repos via AI Tools

Incident Classification: Confirmed | Incident Type: Reported | Severity: Critical | Sector: Software Development / Developer Infrastructure | Date Confirmed: 5 June 2026

A self-replicating supply chain worm compromised 73 Microsoft GitHub repositories on June 5, 2026, targeting developers through AI coding tool configuration files. GitHub’s automated response disabled all affected repositories within 105 seconds. The threat actor, attributed at medium confidence to a cluster tracked as TeamPCP, had begun staging the attack three weeks earlier.

Incident Summary

Field	Detail
Incident type	Supply chain compromise via AI coding tool config injection
Affected repositories	73 repositories across Azure, Azure-Samples, Microsoft, MicrosoftDocs
Attack vector	Malicious configuration files targeting Claude Code, Gemini CLI, Cursor, VS Code, npm
Payload	Credential harvester targeting cloud and developer tool tokens
Credentials at risk	AWS, Azure, GCP, Kubernetes, npm, GitHub, 90+ developer tool configs
Initial access method	Stolen Microsoft contributor PAT
Attack duration	Active staging from May 16; main wave June 3–5
Containment	GitHub automated takedown, 105 seconds, June 5 16:00:50–16:02:35 UTC
Attribution	TeamPCP (medium confidence)

Timeline

May 16, 2026: Malicious payload modules are created. The C2 domain is registered. The attacker is preparing infrastructure but has not yet pushed anything to public repositories.

May 19, 2026: Three malicious versions of a PyPI package are uploaded. This early wave is not widely detected. It establishes the credential-harvesting capability in a lower-visibility environment before the main campaign.

June 1, 2026 — Wave 1: Preinstall hooks are embedded in 32 packages in the @redhat-cloud-services npm namespace. These execute automatically when developers install the affected packages. The hooks function as credential harvesters and likely feed tokens into the attacker’s pipeline for subsequent waves.

June 3, 2026 — Wave 2: 57 npm packages are modified to include binding.gyp files. This is a deliberate evasion choice. The node-gyp native build pipeline executes binding.gyp as part of legitimate package compilation — not as JavaScript code but as a native build step that security tools routinely treat as trusted. The files execute credential-harvesting code that largely avoids triggering automated detection.

June 3–5, 2026 — Wave 3: The attacker uses a stolen Microsoft contributor Personal Access Token to push malicious commits to Azure, Azure-Samples, Microsoft, and MicrosoftDocs repositories. Five configuration files are inserted into 73 repositories, targeting AI coding tool environments: CLAUDE.md (Claude Code), alongside analogous config files for Gemini CLI, Cursor Agent CLI, VS Code, and npm configuration. The actual harvesting payload is embedded in an obfuscated JavaScript file at .github/setup.js, which executes when a developer opens an affected repository in any of the targeted AI tools.

Notable affected repositories include azure-search-openai-demo, multiple durabletask implementations, and functions-container-action — all popular reference architectures and utility libraries with high developer clone activity.

June 5, 16:00:50–16:02:35 UTC: GitHub’s automated systems detect the anomalous commit pattern and disable all 73 affected repositories in two sweeps, totalling 105 seconds. Public disclosure follows within hours.

How the AI Coding Tool Attack Vector Worked

The configuration-file attack is not novel. Adversa AI’s SymJack research, published weeks before the Miasma campaign, had explicitly documented how CLAUDE.md and equivalent agent instruction files could be weaponised to execute attacker-controlled code when a developer opens a repository.

Miasma is the first confirmed large-scale exploitation of this technique at scale.

The mechanism is straightforward. Developers using AI coding tools operate in a trust model where project configuration files are processed automatically on repository open. When a developer clones azure-search-openai-demo to evaluate it, extend it, or integrate it, their AI coding tool reads the project config. In this case, that config directed execution of .github/setup.js with the developer’s own shell session permissions.

The credential harvester then had access to whatever the developer’s environment held: AWS and Azure CLI tokens, Kubernetes contexts, GitHub PATs, npm auth tokens, container registry credentials, and anything else in environment variables or dotfiles.

Three factors made this particularly effective:

Trusted provenance. The repositories were from Microsoft’s own GitHub organizations. Developers evaluating azure-search-openai-demo had no obvious reason to treat its configuration files as hostile. High-profile, widely-forked Microsoft reference repos carry an implicit trust that attacker-controlled repos do not.

Execution on open, not on install. The AI coding tool vector activates when the developer opens the project, not when they run code or install dependencies. This is earlier in the developer workflow than most supply chain security tooling monitors.

Five tools, one campaign. Separate configuration files targeting Claude Code, Gemini CLI, Cursor, VS Code, and npm configuration mean a developer only needs one of the five tools in their environment to be affected. Coverage was broad.

The Detection Gap: Three Weeks of Staging

The containment on June 5 was fast. The question is why the preceding three weeks went largely undetected.

Wave 1 (npm preinstall hooks) and Wave 2 (binding.gyp files) both executed through standard package management pipelines that security tooling trusts by default. Preinstall hooks are a standard npm feature used by legitimate packages; binding.gyp triggers node-gyp, a trusted build tool. Neither execution path matches common malware signatures. Both resulted in credential exfiltration that was not detected by the affected package ecosystem’s maintainers or by npm’s security systems during the window.

Wave 3 required a review of Microsoft’s GitHub commit activity to detect. The compromised PAT pushed commits to 73 repositories over two days. The commits were small config-file additions from an account that appeared to be a legitimate contributor. Without specific monitoring for anomalous commit patterns from contributor accounts — number of repositories touched in a short window, nature of the files added — the activity would look like a contributor updating project tooling.

GitHub’s eventual automated detection and 105-second response demonstrates that fast machine response is possible once a signature is established. The gap was the three preceding weeks of staging in less-monitored environments.

Remediation and Microsoft Response

GitHub disabled the 73 affected repositories via automated sweep. Microsoft revoked the compromised contributor PAT. The malicious configuration files and payload have been removed from affected repositories.

For developers who cloned or opened affected repositories between June 3 and June 5 using Claude Code, Gemini CLI, Cursor, VS Code, or npm:

Treat all credentials accessible from that session as compromised and rotate immediately: cloud provider tokens (AWS, Azure, GCP), GitHub PATs, npm auth tokens, Kubernetes service account tokens, container registry credentials
Review cloud provider access logs for activity in the June 3–5 window from your development workstation IP or associated CI runners
Check npm and GitHub audit logs for any token use not matching your own activity
Rotate SSH keys if present in your shell environment during the exposure window

What This Means for the AI Coding Tool Threat Model

Miasma is important because it operationalises, at scale and against a high-trust target, the attack pattern that security researchers had been describing as theoretical.

The SymJack research showed that AI coding tool configuration files could trigger code execution in a way that bypasses approval UI. Miasma showed that an attacker with access to a trusted, high-traffic GitHub repository can deliver that payload to thousands of developers without anyone questioning the file’s legitimacy.

The trusted-provenance angle is the new variable. Defending against malicious configuration files in unknown repositories is one problem. Defending against malicious configuration files in repositories that are the official Microsoft reference implementations for Azure OpenAI integration is a different problem. Developers are not going to stop cloning azure-search-openai-demo.

The controls this requires are at the tool level, not the developer behaviour level. AI coding tools need to display the actual effects of configuration files before executing them, with clear disclosure of any code that will run. Anthropic’s Claude Code patch for SymJack (resolving symlinks to show real destinations) is one step. A broader standard for AI coding tool configuration file transparency is what the ecosystem needs.