By ByteBot
On June 5, a single malicious commit hit one of Microsoft’s GitHub repositories. Within 105 seconds, GitHub’s automated abuse detection had disabled 73 repos across four Microsoft organizations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The culprit was the Miasma worm, and the attack vector wasn’t a vulnerable dependency or a typosquatted package. It was your AI coding tool.
What Happened
Attackers used a previously compromised contributor’s GitHub account to push a commit to the Azure/durabletask repository. The commit added no visible dependencies — just five workspace configuration files and one obfuscated JavaScript file at .github/setup.js. When a developer cloned the repo and opened it in Claude Code, Gemini CLI, Cursor, or VS Code, the payload executed automatically.
No npm install. No script you chose to run. Just opening a folder.
This is the key shift in the Miasma attack. Traditional supply chain attacks target the package manager. Miasma targets the AI coding tool — specifically its habit of reading workspace config files to understand project context. That feature, which makes AI tools useful, became the execution trigger.
What the Payload Did
Once triggered, the malware ran a multi-cloud credential sweep. It harvested AWS keys, Azure service principals, GCP service accounts, Kubernetes secrets, Vault tokens, npm tokens, GitHub personal access tokens, SSH keys, Docker configurations, and anything sitting in .env files or shell history. Credentials were exfiltrated to public GitHub repositories controlled by the attackers.
The worm then self-propagated using the stolen tokens, spreading to additional repositories. Each infection generated a uniquely encrypted payload — making hash-based detection essentially useless. By the time you updated your signature database, the fingerprint had already changed.
Across the broader Miasma campaign, 113+ GitHub repositories were compromised and SafeDep was tracking 473 affected package artifacts as of June 9.
It’s Getting Worse: The Toolkit Is Now Public
On June 8 — three days after the Microsoft attack — the full Miasma attack toolkit was open-sourced via four previously compromised GitHub accounts. The toolkit isn’t a proof-of-concept. It’s a full supply chain attack platform capable of poisoning npm, PyPI, and RubyGems packages, compromising GitHub Actions workflows, injecting AI coding tool configs, and performing SSH-based lateral movement — all using GitHub’s own infrastructure for command-and-control.
In other words: the barrier to running this attack just dropped to near zero. The Register has the full breakdown of what’s inside the toolkit.
Microsoft’s Incomplete Rotation Problem
There’s a detail in this story worth paying attention to: this was Microsoft’s second breach from a related attack within a few weeks. The attacker reportedly retained a working GitHub token from the earlier compromise — meaning Microsoft hadn’t fully rotated affected credentials the first time. The Miasma worm reached the Azure/durabletask repo because an account that should have been locked was still active.
Incomplete credential rotation after a compromise is almost as bad as no rotation. If an attacker exfiltrates a token and you rotate 90% of your secrets, you’ve narrowed their access, not ended it.
What AI Developers Need to Do Now
If you opened any repository from the Azure, Azure-Samples, Microsoft, or MicrosoftDocs GitHub organizations between June 3 and June 5 using Claude Code, Gemini CLI, Cursor, or VS Code, treat your development environment as compromised and rotate immediately. StepSecurity has a full remediation guide.
- GitHub personal access tokens and fine-grained tokens
- npm tokens and publishing credentials
- AWS access keys and IAM credentials
- Azure service principals and managed identity secrets
- GCP service account keys
- SSH keys used on developer machines
- Kubernetes secrets accessible from your dev environment
- CI/CD signing keys and pipeline secrets
- Anything stored in
.envfiles or shell history during that window
Beyond immediate remediation, the Miasma campaign points to a gap in how most developers think about project files. You audit package.json before you npm install. Apply the same skepticism to workspace config files — especially anything in .claude/, .cursor/, .vscode/, and .github/. AI tools execute what they read. That’s the feature, and it’s now the risk.
Miasma is a variant of the Mini Shai-Hulud worm released in mid-May 2026. The Bitwarden CLI attack earlier this year was the first documented supply chain attack explicitly targeting AI coding assistant credentials. The Microsoft incident, as TechCrunch reported, is the second major escalation. This is a pattern that’s still accelerating, and the tooling vendors haven’t caught up yet.
