Last Thursday, GitHub disabled 73 repositories across four Microsoft GitHub organisations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — after a self-replicating worm called Miasma wormed its way through AI coding agent configuration files. The attack exfiltrated over 2,400 secrets before automated detection kicked in.
This was not a conventional supply chain attack. Miasma did not poison a package registry or compromise a build pipeline. It planted configuration files that execute the moment a developer opens a repository in Claude Code, Cursor, Gemini CLI, or VS Code. The simple act of cloning and opening a repo — something every developer does dozens of times a week — became the trigger.
TL;DR
- The Miasma worm hit 73 Microsoft GitHub repositories on 5 June 2026 by exploiting AI coding agent configuration files that auto-execute on repo open
- It planted malicious .claude, .cursor, and .vscode config files containing a 4.3 MB obfuscated credential-harvesting payload
- Over 2,400 secrets were exfiltrated, including AI model tokens, cloud credentials, and SSH keys
- Miasma is a variant of the Shai-Hulud worm released by TeamPCP in May 2026 — and it specifically targets AI coding tools as the execution vector
- Development teams must treat repository-level configuration files as untrusted code and enforce workspace trust boundaries immediately
How Miasma Works: Three Waves in Five Days
Miasma launched on 1 June 2026 and escalated rapidly across three distinct attack waves:
Wave 1 (1 June): Malicious npm packages with preinstall hooks — a well-worn vector, but effective. These packages harvested credentials from developer machines and established initial footholds.
Wave 2 (3 June): Malicious binding.gyp files injected into repositories. When npm install triggers native compilation, the payload executes silently during the build process.
Wave 3 (3–5 June): The novel attack. Using contributor credentials stolen in earlier waves, the attackers pushed malicious commits directly to legitimate repositories. These commits planted five configuration files targeting four different AI coding tools — each designed to auto-execute a 4.3 MB obfuscated JavaScript dropper the moment a developer opens the repository in their editor.
The critical insight: Wave 3 exploited a trust model that most development teams have not even considered. AI coding agents read workspace configuration files on initialisation. Those files can contain instructions, hooks, and shell commands. Miasma weaponised that implicit trust.
Why AI Coding Agents Changed the Threat Model
Before AI coding agents, opening a repository was essentially a read operation. Your editor loaded files, syntax highlighted them, maybe ran a linter. The blast radius of a malicious file in a repo was limited — you had to deliberately execute something.
AI coding agents changed that calculus entirely. Modern development tools now:
- Auto-execute workspace configuration — files like
.claude/settings.json,.cursor/rules, and.vscode/settings.jsonare loaded and acted upon automatically - Run shell commands on behalf of the developer — agents can execute terminal commands, install packages, and modify files as part of their workflow
- Consume context from the repository — including README files, configuration, and documentation that could contain prompt injection payloads
- Operate with the developer’s full credentials — SSH keys, cloud tokens, npm auth tokens, and API keys are all accessible to any process running in the developer’s session
The Miasma worm specifically hunted for tokens associated with AI model training, inference endpoints, and code-generation services. Stolen AI credentials are particularly valuable — they provide access to expensive compute resources and, increasingly, to proprietary codebases and business logic that developers discuss with their AI assistants.
The Shai-Hulud Connection
Miasma is assessed to be a variant of the Mini Shai-Hulud worm that the threat actor group TeamPCP publicly released in mid-May 2026. TeamPCP — the same group behind the GitHub internal breach that exposed 4,000 repositories — has been systematically probing the boundaries of AI-assisted development tooling.
The public release of Shai-Hulud was effectively a proof of concept that anyone could adapt. Miasma represents the first major adaptation: a self-replicating campaign that infected 113+ GitHub repositories across dozens of accounts within days.
This pattern — research group releases proof of concept, criminal actors weaponise it within weeks — is not new. But the speed of adaptation and the novelty of the attack surface should concern every development team.
What Your Team Needs to Do Right Now
1. Audit Your Workspace Trust Settings
Every major editor now has workspace trust controls. Use them. VS Code’s Restricted Mode, Claude Code’s workspace trust prompts, and Cursor’s safety settings exist precisely for this scenario. Ensure your team has not disabled these protections for convenience.
2. Treat Configuration Files as Code
Any file that auto-executes — .vscode/settings.json, .claude/ directories, .cursor/rules, binding.gyp, package.json scripts — must be reviewed with the same scrutiny as application code. Add these paths to your code review checklists. Flag changes to them in pull request automation.
3. Rotate Credentials Immediately
If any member of your team has opened repositories from unfamiliar sources in the past fortnight, rotate:
- npm and PyPI authentication tokens
- Cloud provider credentials (AWS, GCP, Azure)
- AI service API keys (OpenAI, Anthropic, Google)
- SSH keys used for Git operations
- Any secrets stored in environment variables on developer machines
4. Implement Configuration File Scanning in CI
Add automated checks that flag new or modified AI coding agent configuration files in pull requests. A .claude/settings.json appearing in a PR for a backend API should raise immediate questions. Tools like StepSecurity’s Harden-Runner can detect unexpected outbound network calls during CI runs.
5. Segregate Developer Credentials
The days of a single developer machine holding credentials for every service are over. Use short-lived tokens where possible. Implement credential isolation between projects. Consider ephemeral development environments — containers or cloud workspaces — that limit the blast radius of a compromised workspace.
The Bigger Picture: Repository as Attack Surface
Miasma is not the end of this story. It is the beginning. The attack demonstrated that AI coding agents have created a new class of implicit trust relationship: the assumption that a repository’s configuration files are safe to execute.
This mirrors the evolution of web security. In the early days, nobody thought twice about loading third-party scripts. Then XSS became endemic, and we built Content Security Policies. Nobody worried about SQL injection until Bobby Tables became a meme, and we built parameterised queries.
We are now at that inflection point for developer tooling. The repository is no longer a passive collection of source files. It is an execution environment — and it needs to be treated as one.
The industry response is already underway. Microsoft’s June 2026 announcement that VS Code will apply a two-hour delay before auto-updating extensions is one step. But the deeper fix requires a fundamental rethinking of how AI coding agents handle workspace initialisation, permission boundaries, and credential access.
How REPTILEHAUS Can Help
At REPTILEHAUS, we have been building secure development pipelines long before AI agents entered the picture. Our DevSecOps practice helps teams implement credential isolation, CI/CD security scanning, and workspace trust policies that protect against exactly this class of attack.
If the Miasma worm has your team asking difficult questions about your development security posture, get in touch. We specialise in helping development teams build securely without sacrificing velocity.
Photo by Mohammad Rahmani (@afgprogrammer) on Unsplash
