Miasma Worm Exploits AI Coding Agents, Targets 100+ GitHub Repositories
Key Takeaways
- ▸Miasma worm used GitHub source repositories as an attack vector, compromising 100+ repos by injecting malicious commits disguised as dependency updates
- ▸Exploited auto-run features of five developer tools (Claude Code, Gemini CLI, Cursor, VS Code, npm) to execute payload without user interaction—opening an IDE is sufficient to trigger infection
- ▸Attack chained configuration files (settings.json, tasks.json, project rules) to trigger a single executable payload, abusing legitimate IDE automation mechanisms
Summary
On June 3, 2026, the Miasma worm launched a coordinated attack on AI developers through a second vector: malicious commits directly to GitHub repositories. While the npm registry attack involved 57 poisoned packages, the GitHub arm targeted 100+ repositories across dozens of accounts, including high-profile projects like Microsoft's Azure durabletask repo (1,718 stars). The attacker injected a 4.3 MB payload runner wired to execute through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and npm test scripts.
The attack's sophistication lies in its trigger mechanism. The malicious commits added configuration files for each tool (.claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, .vscode/tasks.json, package.json) that collectively execute a single payload (.github/setup.js). Each tool's auto-run feature is exploited: Claude Code and Gemini CLI use SessionStart hooks, Cursor uses an always-apply project rule, VS Code uses folder-open tasks, and npm runs the payload via a hijacked test script. Developers cloning affected repositories face no warning—the attack detonates simply by opening the folder in one of the targeted tools or running tests.
The breach exemplifies a new frontier in supply chain attacks: leveraging legitimate security and automation features of developer tools against themselves. The maintainer of mantine-datatable had his GitHub account suspended during the incident. Security teams at SafeDep and StepSecurity documented the attack's layered techniques and confirmed a byte-level match to the Miasma family dropper.
- Affected high-profile repositories including Microsoft's Azure durabletask repo using stolen contributor PAT tokens and backdated commits to hide in dormant branches
- Targets AI-assisted development supply chain: developers cloning repos to debug issues instantly execute payload upon opening the folder in AI coding agents
Editorial Opinion
This attack represents a concerning shift in supply chain security: the weaponization of developer tool automation features against the developers who rely on them. By exploiting legitimate mechanisms like SessionStart hooks and task runners, the attacker transformed safety features into attack surfaces. The fact that opening a repository in Claude Code or Gemini CLI can silently execute arbitrary code is unsettling, even with detection now in place. Future defense must distinguish between authorized automation (legitimate IDE workflows) and malicious automation (attacker-inserted config files)—a challenge that may require new security policies for AI coding agents.
