Miasma Worm Hits 73 Microsoft GitHub Repositories, Targeting Developers With AI Coding Tools

The Miasma supply chain worm reached Microsoft's GitHub infrastructure on June 5, 2026, compromising 73 repositories across four Microsoft GitHub organizations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — before GitHub's automated detection systems disabled the affected repositories in approximately 105 seconds. The incident is the latest in an ongoing Miasma campaign that has now targeted PyPI packages, Red Hat npm packages, and Microsoft's own open-source repository infrastructure in the space of six weeks, as reported by The Hacker News and security firm StepSecurity.

The attack vector was a malicious commit pushed to the Azure/durabletask repository using a previously compromised contributor account. The commit introduced configuration files specifically designed to execute a credential-harvesting payload when a developer opens the repository in AI-powered coding tools — including Claude Code, Gemini CLI, Cursor, and VS Code with certain AI extensions. Once triggered, the payload steals authentication credentials for AWS, Azure, Google Cloud, Kubernetes, npm, and GitHub, then uses those credentials to propagate the worm to other repositories accessible from the compromised accounts.

The durabletask Repository at the Center

The Azure/durabletask repository is significant because it is the root of Microsoft's Durable Task Framework ecosystem — a widely used orchestration library for building reliable, stateful workflows in .NET, Go, JavaScript, and other runtimes. Azure Functions, a major Microsoft cloud service, depends on this ecosystem. Security researcher Paul McCarty, who goes by the handle 6mile, noted the scope of the cascade: not only was the root Azure/durabletask disabled, but every sibling repository in the Durable Task ecosystem was also taken offline, including durabletask-dotnet, durabletask-go, durabletask-js, durabletask-mssql, and the Durable Functions monitor.

The same durabletask package on PyPI was compromised by TeamPCP in a separate attack on May 19, 2026, which infected the package with an information stealer targeting Linux systems. The reuse of the same repository as a reinfection vector a month later suggests TeamPCP conducted reconnaissance on the ecosystem specifically, identifying durabletask as a high-value propagation hub with broad downstream install exposure.

The Miasma Campaign

Miasma is a variant of the Mini Shai-Hulud worm initially developed by the TeamPCP threat group. The campaign has moved through three distinct waves in 2026:

On June 1, Miasma infected 32 Red Hat npm packages in a credential-theft campaign documented by Wiz and SOC Prime. On May 19, the same compromised contributor account infected the durabletask PyPI package with an information stealer for Linux. On June 5, the worm reached Microsoft's GitHub repositories, expanding the campaign's scope to one of the most widely-used enterprise open-source ecosystems in the world.

What distinguishes Miasma from conventional supply chain attacks is its self-replicating mechanism: instead of requiring the threat actor to manually compromise each target, the worm uses stolen credentials from one victim to identify and infect additional repositories. The propagation happens automatically, which is why GitHub's 105-second response window — while fast — still resulted in 73 repositories being compromised before containment.

The AI Coding Tool Attack Surface

The use of AI coding tool configuration files as the payload trigger is a notable evolution in supply chain attack technique. When developers open a repository in Claude Code, Cursor, Gemini CLI, or similar tools, those tools often automatically read configuration files from the repository to set up context — project-specific prompts, tool configurations, or environment settings. Miasma's malicious commits inserted configuration files that abuse this trusted execution context to run the credential-harvesting payload without explicit developer interaction. The developer simply opens the repository and the payload runs before they see any code.

This technique is effective precisely because AI coding tools are designed to be helpful and proactive — they read repository configuration files to serve the developer better, and that behavior becomes a delivery mechanism when a repository has been compromised. Developers who opened any of the 73 affected Microsoft repositories in an AI-assisted coding environment between the commit time and GitHub's containment window should audit their cloud credentials and rotate any tokens or secrets that may have been accessible on the development machine.

Immediate Actions

For developers who worked with any of the affected repositories on June 5: rotate all cloud credentials (AWS, Azure, GCP, Kubernetes service accounts), revoke and regenerate npm access tokens, and check GitHub personal access tokens for unauthorized activity. For organizations that depend on the Durable Task Framework: verify that any installed packages from the June 5 window match expected checksums, and monitor for unusual outbound connections from build systems.

The broader lesson from Miasma's trajectory is that AI coding tools have introduced a new attack surface in the software supply chain that the security community is still mapping. Repository configuration files that execute automatically in trusted tool contexts are a vector that needs explicit security policies — both at the tool level (verification before executing remote configuration) and at the organizational level (monitoring for unexpected configuration files in trusted repositories).