Miasma Worm Supply Chain Attack Escalates: Malicious Commits Hit Microsoft Azure Repositories, Target AI Coding Agents
Key Takeaways
- ▸Supply chain attacks are evolving to exploit AI coding agent configuration files and IDE-level hooks rather than traditional package manager mechanisms
- ▸73 Microsoft repositories across 4 organizations were disabled following the June 5 incident, indicating the scale of the compromised infrastructure
- ▸The Miasma worm's shift from PyPI package poisoning to GitHub repository compromise demonstrates persistent attacker sophistication and adaptability
Summary
On June 5, 2026, the Miasma worm campaign reached Microsoft's Azure GitHub organizations when a malicious commit was pushed to the Azure/durabletask repository using a compromised contributor account. The attack planted configuration files designed to execute credential-harvesting payloads when developers open the repository in popular AI coding tools including Claude Code, Gemini CLI, Cursor, and VS Code. GitHub responded by disabling 73 repositories across four Microsoft GitHub organizations in an automated 105-second sweep.
This incident represents a significant evolution of the Miasma campaign, which previously focused on poisoning package registries like PyPI in May 2026. The June 5 attack shifts the vector from package installation hooks to editor-level code execution, bypassing traditional supply chain defenses by targeting the developer's IDE directly through configuration files like .claude/settings.json and .cursor/rules/setup.mdc. The compromised commit was backdated six years and marked with a [skip ci] flag to evade automated CI/CD detection.
The planted files were weaponized to exploit four different attack vectors across developer tools, demonstrating sophisticated understanding of modern AI-assisted development workflows. Security researchers note that this shift from 'execute on package install' to 'execute on folder open' reveals a new class of supply chain vulnerabilities that existing defensive strategies were not designed to address.
- AI coding agents (Claude Code, Gemini CLI, Cursor, VS Code) now represent a direct attack surface that requires new defensive strategies and security hardening
Editorial Opinion
This attack exposes a critical gap in supply chain security: AI coding agents have become primary targets precisely because they execute code based on repository configuration files, yet most organizations treat IDE-level security as a peripheral concern. The shift from package registries to editor hooks represents attackers finding higher-yield targets with lower defenses. Organizations building with AI agents must immediately adopt stricter permissions models, sandboxing, and configuration validation in their development tools—this is no longer optional infrastructure, but essential security hardening.
