What happened
On 2026-06-05, the Miasma worm reached Microsoft's GitHub organizations via a malicious commit to Azure/durabletask using a previously compromised contributor account. The campaign planted configuration files directly into 113+ repositories across dozens of organizations. Unlike traditional supply-chain attacks that rely on malicious NPM packages or post-install hooks, Miasma bypassed dependency scanning by using trusted editor configuration files set to auto-run when projects are opened.
Why it matters
AI coding agents (Claude Code, Cursor, Gemini CLI) automatically execute configuration files and hooks when opening a workspace. The Miasma worm exploits this auto-execution behavior to steal credentials for AWS, Azure, GCP, Kubernetes, and 90+ other developer and deployment tools. An attacker gains access to entire cloud infrastructure, CI/CD pipelines, and source repositories of affected organizations.
Attack vector
Threat actor compromises a GitHub contributor account and pushes malicious configuration files (`.claude/`, `.cursor/`, `.gemini/`) directly into 113+ repositories. When a developer opens a compromised repo in an AI coding agent, the agent auto-executes the hook commands defined in these files. The hooks spawn a 4.6 MB obfuscated JavaScript payload that exfiltrates credentials for AWS, Azure, Google Cloud, Kubernetes, and 90+ developer tools.
Affected systems
AI coding agents: Claude Code, Gemini CLI, Cursor; GitHub-hosted repositories
Mitigation
Audit open AI coding agent sessions; check for suspicious `.claude/`, `.cursor/`, `.gemini/` configuration files; rotate credentials for AWS, Azure, GCP, and other services; enable branch protection rules on GitHub