By ByteBot
The Miasma supply chain worm reached Microsoft on June 5. In 105 seconds, GitHub disabled 73 repositories across four Microsoft organizations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — after a malicious commit was pushed to Azure/durabletask via a previously compromised contributor account. Among the casualties: azure-search-openai-demo, the entire Durable Task family, and a column of AI sample repos that thousands of developers have cloned. This is the same worm that hit 32 Red Hat npm packages on June 1 and 57 more via the Phantom Gyp technique on June 3. It is escalating fast. And the latest variant does something new: it specifically targets AI coding agents.
Opening Your Repo in Claude Code Is Now a Risk
This is the part most security write-ups have buried. The Miasma worm plants backdoor configuration files inside compromised repositories — specifically .claude/settings.json, .gemini/settings.json, and Cursor config directories — that execute a credential-harvesting payload the moment a developer opens the project in Claude Code, Gemini CLI, or Cursor. No explicit code execution required. Just opening the repository triggers it.
SafeDep’s telemetry found 123 repositories across dozens of accounts already carrying this hook pattern, all pointing to the same node .github/setup.js trigger. The targeting is deliberate: developers increasingly open unfamiliar repos with AI agents to help navigate the codebase. The worm exploits that new behavior. A developer who never runs a single line of the project can still have every cloud credential on their machine exfiltrated.
What Microsoft Lost — and Why It Affects You
The 73 disabled repos are not obscure. They include Microsoft’s canonical Azure AI reference applications:
- azure-search-openai-demo — the most-cloned Microsoft RAG starter app
- The entire Durable Task family: durabletask-dotnet, durabletask-go, durabletask-java, durabletask-js, durabletask-mssql, durabletask-netherite, durabletask-protobuf, DurableFunctionsMonitor
- functions-container-action, llm-fine-tuning, and 65+ more across the Azure and MicrosoftDocs organizations
Disabling these repos broke CI pipelines globally for anyone relying on these GitHub Actions. If your pipeline pulls from any of these repos or the Azure-Samples organization, it may have already been affected. Developers who cloned these repos before GitHub’s 105-second response window should assume their machines may have executed the payload.
How the Worm Spreads
Miasma v2 introduced a technique called Phantom Gyp: a 157-byte binding.gyp file that triggers code execution during npm install, bypassing the preinstall and postinstall lifecycle script monitoring that most security scanners rely on. Once it runs, the worm steals npm tokens, enumerates every package the compromised maintainer owns, injects the payload into each one, and republishes — with forged SLSA provenance attestations signed by Sigstore. The packages look legitimate even to tools designed to verify supply chain integrity. As TechTimes reported: “Signed Attestations Cannot Block Pipeline Hijack.”
The Azure incident began with a contributor account compromised in an earlier wave, likely Phantom Gyp. From there, the worm automated 73 commits across Microsoft’s GitHub organizations in under two minutes.
What to Do Right Now
If you have used any of the affected repos or installed packages from the @redhat-cloud-services scope, @vapi-ai/server-sdk, or ai-sdk-ollama since June 1, treat your credentials as compromised and rotate immediately: GitHub tokens, AWS/Azure/GCP credentials, npm publish tokens, SSH keys, and CI/CD secrets.
Beyond rotation, check your AI agent configurations. Look for unexpected entries in your project directories:
# Check for unexpected hooks in AI agent configs
cat .claude/settings.json | grep -i "setup.js\|github"
cat .gemini/settings.json | grep -i "setup.js\|github"
# Check git history for suspicious config files added recently
git log --all --oneline --diff-filter=A -- ".claude/settings.json" ".gemini/settings.json" ".github/setup.js"
# Install packages without running scripts in CI environments
npm install --ignore-scriptsGitHub has published the list of affected repository versions. Cross-reference your package-lock.json and run npm audit. StepSecurity’s technical writeup has the full list of compromised package versions and the binding.gyp signatures to scan for.
The Bigger Picture
Three supply chain waves hit in five days — Red Hat npm, Phantom Gyp, and now Azure GitHub — and the common thread is that existing defenses failed each time. SLSA provenance was forged. Preinstall hooks were bypassed. GitHub Actions OIDC was abused. What stopped the Azure incident was GitHub’s automated detection, not any of the trust mechanisms developers assumed were protecting them.
The AI coding agent angle is new terrain. Security teams have not yet built tooling to scan for malicious agent config files the way they scan for malicious packages. That gap is now being actively exploited. The Hacker News has full coverage of the Microsoft incident. Opening a repository in your AI IDE is no longer a zero-risk action.
