Inside the Miasma Worm Attack: How Malware Weaponized AI Coding Tools Against Microsoft GitHub

On June 5, 2026, a self-replicating malware strain known as the Miasma worm forced GitHub to disable 73 Microsoft-owned repositories in a mere 105 seconds . This was not a minor code injection; it was a sophisticated supply chain attack that weaponized the very tools developers trust most—their AI coding assistants. The affected repositories spanned four core Microsoft organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs . The attack represents a pivotal moment in cybersecurity, where the act of simply opening a codebase in an AI-powered environment became a trigger for credential theft.

How the Attack Unfolded: AI Tools as a Trigger

The attack's novelty lay in its execution path, bypassing traditional security checks by turning developer tools into attack vectors.

• The Entry Point: The breach started with a malicious commit pushed to the Azure/durabletask repository using a previously compromised contributor account . To evade detection, the commit was titled "Switched DataConverter to OrchestrationContext [skip ci]" and its metadata was backdated to March 2020 .
• Payload Delivery via AI Assistants: The commit did not alter traditional source code. Instead, it planted configuration files, such as settings for Claude Code, Gemini CLI, and Cursor . When a developer opened the infected repository in Claude Code, Gemini CLI, Cursor, or Visual Studio Code (VS Code), these AI tools automatically read the configuration files, executing a hidden credential-harvesting payload .
• What Was Stolen: Once executed, the worm harvested a wide range of critical credentials from the developer's machine and associated environments, including those for AWS, GCP, Azure, HashiCorp Vault, Kubernetes, and GitHub Actions .
• Self-Replication: After stealing credentials, the worm used them to push the same malicious commit to other repositories accessible to the victim, enabling it to spread rapidly across multiple organizations .

The Origin: The Red Hat npm Compromise

The Microsoft GitHub incident was the final act of a campaign that began days earlier in the open-source software supply chain.

On June 1, 2026, attackers used a stolen Red Hat employee's GitHub account to publish backdoored versions of 32 official @redhat-cloud-services npm packages, spanning over 90 versions . Microsoft Threat Intelligence traced the compromise back to the upstream RedHatInsights/javascript-clients CI/CD pipeline, allowing the attackers to publish trojanized packages with legitimate-looking authentic provenance signatures . These malicious packages carried an obfuscated preinstall script that executed a credential stealer upon installation, laying the groundwork for the wider Miasma propagation .

Response and Containment

The response to the attack was swift and decisive, but the incident's implications run deep.

• Immediate Disablement: GitHub's automated abuse detection systems disabled all 73 infected repositories in two discrete waves, immediately blocking public access and displaying a "terms of service violation" notice .
• Recovery and Remediation: Microsoft fully restored all affected repositories by June 8 and notified impacted customers . A key finding was that the attacker reused unrotated GitHub Actions secrets to maintain and broaden access, indicating that a previous compromise had not been fully cleaned .
• A Deeper Root: Investigations revealed that the stolen credentials used in the June 5 attack had been sitting in active stealer logs for 48 days prior to weaponization, underscoring a long-term intrusion that predated the worm's activation .

Attribution: The Shai-Hulud Legacy and Copycat Problem

Miasma is a direct descendant of the Mini Shai-Hulud worm framework, a toolkit created by the threat group known as TeamPCP . TeamPCP’s earlier campaign, disclosed on May 12, 2026, had already compromised over 170 npm and PyPI packages, which had amassed more than 518 million cumulative downloads, targeting AI developer libraries directly .

The situation is further complicated because TeamPCP open-sourced the Mini Shai-Hulud framework . This means an unknown number of copycat actors have access to the same codebase. While the techniques and code strongly link Miasma to TeamPCP's lineage, multiple security researchers caution that a definitive attribution to the original group cannot be made, as any actor with the open-source toolkit could have orchestrated part or all of this specific wave .

Security Recommendations for Developers

The Miasma attack fundamentally redefines security boundaries. Opening a code repository is no longer a passive, safe action. Researchers have coalesced around several key recommendations:

• Revoke and Rotate Everything: Immediately rotate all GitHub Actions tokens, cloud provider credentials, npm publish tokens, and any other secrets that could have been exposed through CI/CD logs, infected repositories, or stealer logs .
• Enforce Strict MFA: Require multi-factor authentication, preferably using hardware security keys, for all contributor accounts to prevent credential-based intrusions .
• Sanitize AI Tooling Trust Boundaries: Treat untrusted repositories as you would an unknown binary. Configure AI coding agents (Claude Code, Cursor, Gemini CLI, VS Code) to not auto-execute or auto-read configuration files and tasks from repositories .