Supply Chain Attack Targets Claude, Gemini, and Other AI Coding Assistants Through Compromised Microsoft Repositories
Key Takeaways
- ▸The Miasma worm uses a new attack vector by weaponizing AI agent configuration files, allowing malware to execute simply by opening a project folder
- ▸The malware steals cloud credentials (AWS, GCP, Azure), GitHub secrets, password manager data, and infrastructure configurations from developer environments
- ▸73 Microsoft repositories across four organizations were compromised before the attack was detected and disabled on June 5, 2026
Summary
A sophisticated supply chain attack known as the Miasma worm has compromised 73 Microsoft-owned GitHub repositories, deploying credential-harvesting malware specifically designed to trigger inside popular AI coding assistants including Claude Code, Gemini CLI, Cursor, and VS Code. The attack, discovered on June 5, 2026, introduces a dangerous new paradigm by hiding malware in configuration files (.claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, and .vscode/tasks.json) that execute automatically when developers open repositories in AI agents.
Once triggered, the 4.6 MB obfuscated JavaScript payload aggressively harvests credentials across multiple attack vectors: cloud provider keys (AWS, GCP, Azure), GitHub Actions secrets from process memory, unlocked password manager data (1Password, gopass), and infrastructure configurations (.env files, Docker, Kubernetes). By stealing legitimate OAuth tokens and cloud keys, attackers can bypass traditional security scanners and spread laterally through enterprise networks.
The incident marks a critical inflection point in open-source security: developers must now treat repository configuration files with the same risk profile as executable code. Security researchers recommend developers immediately audit their environments if they've recently cloned Microsoft or Azure-related repositories using AI coding assistants, and rotate all cloud credentials and GitHub PATs as a precautionary measure.
- Developers should inspect repository root directories for suspicious .claude, .gemini, .cursor, and .vscode configuration files before opening external projects in AI tools, and immediately rotate all credentials if exposure is suspected
Editorial Opinion
The Miasma worm demonstrates that AI coding assistants have fundamentally expanded the supply chain attack surface in ways the security community hasn't fully grappled with. Because these tools automatically execute setup configurations without explicit user approval, threat actors now have a frictionless path to deploy malware that works across multiple development environments simultaneously. This incident should force a reckoning in the AI development community about permissions, transparency, and whether current safeguards are adequate for tools with this level of system access.
