The Attack Surface Has Moved to Your IDE
Supply chain attacks have historically targeted the moment a package is installed — the npm postinstall hook, the PyPI setup.py, the point at which untrusted code first touches a developer's environment. Miasma changes the model. Rather than attacking the install phase, it plants malicious configuration files inside compromised repositories that execute automatically when a developer opens the project in their AI coding tool of choice. Claude Code, Cursor, Gemini CLI, and VS Code are all affected. The payload runs before the developer has done anything — simply opening a repo is enough.
On June 6, 2026, GitHub disabled 73 repositories across four of Microsoft's GitHub organisations after the Miasma worm reached Azure's durabletask repository through a previously compromised contributor account. The disabling cascaded through azure-functions-host, azure-search-openai-demo, several durabletask ecosystem variants spanning .NET, Go, Java, JavaScript, MSSQL, and Netherite, and llm-fine-tuning — a repository used by teams building custom model pipelines on Azure. GitHub issued violation notices as it took the repositories offline, leaving thousands of dependent CI/CD pipelines broken.
How Miasma Works — and Why It Spreads
Miasma is assessed by researchers at SafeDep and OpenSourceMalware to be a variant of the Mini Shai-Hulud worm that a group called TeamPCP released publicly in mid-May 2026. The key innovation is the mechanism of propagation. The worm plants a 4.3 MB obfuscated JavaScript payload runner, wired to execute through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and npm test scripts. When a developer clones or opens an affected repository, the runner fires automatically, harvesting credentials from the local environment and then looking for new repositories to infect using the stolen tokens.
The self-replication mechanism is what earns the worm designation. Miasma does not simply exfiltrate credentials and stop; it uses those credentials to authenticate as the compromised developer and push the same malicious configuration to repositories they have write access to. The result is geometric spread across connected codebases. FalconFeeds.io characterised the threat model precisely: "It exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe."
What Was Compromised and What It Means
The azure-functions-action repository is among the most operationally significant casualties. This is an official GitHub Action used by organisations to deploy Azure Functions from their own CI/CD pipelines — meaning its disabling did not just affect Microsoft's own infrastructure but broke deployment workflows for an unknown number of Azure customers who depend on the action. The durabletask ecosystem, which provides the workflow orchestration substrate for Azure Durable Functions, was hit across multiple language implementations.
Security researcher Paul McCarty noted that the incident represented a re-compromise — some of the affected repositories had already been infected in the original May 2026 TeamPCP campaign and subsequently cleaned. The fact that they were re-infected suggests either that the original remediation was incomplete, that the attacker retained persistent access, or that the credential pool harvested in May was broad enough to enable a return. Any of those scenarios is concerning in its own right.
The AI Coding Agent Attack Surface
The specific targeting of AI coding agents is not incidental — it is the strategic innovation of this attack class. As developers increasingly rely on Claude Code, Cursor, and similar tools to navigate and understand unfamiliar codebases, those tools are granted broad filesystem and execution permissions. They are designed to read configuration files, execute scripts, and interact with the local environment. From an attacker's perspective, the AI coding agent is not a security layer; it is a highly privileged execution context that many developers have not thought carefully about restricting.
The implication for security teams is significant. Endpoint detection tools built around the assumption that untrusted code arrives through package managers or browser downloads will not catch a payload that executes via an AI tool's workspace configuration. New detection patterns are needed: monitoring for unexpected outbound connections initiated by coding tools, alerting on configuration files in repositories that include execution hooks, and sandboxing AI coding agent execution by default rather than by exception.
The Broader Supply Chain Pattern in 2026
Miasma does not arrive in isolation. The Red Hat npm Miasma credential-stealing campaign, documented by Microsoft's own Security Blog in early June, showed the same techniques targeting Linux package maintainers. IronWorm's npm supply chain attack infected 36 packages with infostealer payloads. The CISA contractor GitHub exposure revealed this week showed that even security agencies are not immune to the human errors that allow credential compromise to occur in the first place. The pattern across all of these incidents is consistent: attackers are targeting the trust infrastructure of open-source development — the assumption that authenticated contributors publish legitimate code.
We are in a period where the software supply chain is being systematically mapped and exploited by sophisticated actors. The Microsoft incident is particularly significant because it demonstrates that no organisation is too large or too security-conscious to be a vector. The repositories that were compromised are used by hundreds of thousands of developers worldwide. The actual credential harvest from this incident is not yet fully characterised, but the downstream risk — compromised Azure deployments, stolen API keys, poisoned development pipelines — will take weeks to fully audit.
What Organisations Should Do Right Now
The immediate response is audit. Any developer who cloned or opened an affected Microsoft repository between late May and June 6 should treat their development environment as potentially compromised. Credentials stored in environment files, shell configuration, git credential helpers, and browser sessions should be rotated. SSH keys should be audited. Any repositories that developer had write access to should be checked for unexpected configuration file changes in the past six weeks.
Longer term, organisations need to rethink the permissions granted to AI coding tools. Running Claude Code, Cursor, or Gemini CLI with unrestricted access to the filesystem and network in a production development environment is no longer a reasonable default. Sandboxing, network egress monitoring, and pre-commit hooks that detect the specific configuration patterns Miasma uses should all be on the remediation roadmap. The attack has named the threat model. The industry now needs to respond to it structurally.
