← All PostsThe Miasma Worm Targeted Your IDE, Not Your Packages
cybersecuritysupply chaindeveloper tools

The Miasma Worm Targeted Your IDE, Not Your Packages

June 11, 2026

Supply chain attacks used to hit you at npm install. The Miasma worm changed that.

On June 5, 2026, a malicious commit was pushed to Microsoft's Azure/durabletask GitHub repository using a previously compromised contributor account. The commit planted five configuration files that execute a credential-harvesting payload when a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code. GitHub disabled 73 repositories across four Microsoft organizations in a 105-second automated sweep.

Cloning the repository was safe. Opening it was not.

Why This Attack Is Different

Every supply chain defense you've built assumes the attack happens at install time — preinstall hooks, postinstall scripts, setup.py execution. That's where the industry has focused for years.

The June 5 attack skips the package manager entirely and targets the developer's editor. A .claude/settings.json SessionStart hook is effectively a postinstall for your editor. A .cursor/rules/setup.mdc file is a prompt injection that ships in the repo.

This is a meaningful evolution. You don't have to install anything. You don't have to run a script. You just have to open a folder.

What the Commit Actually Contained

The malicious commit (5f456b8) added five files and modified zero source code files. The commit message claimed a code change — "Switched DataConverter to OrchestrationContext" — but nothing in the codebase changed. The timestamp was backdated six years to 2020, and a [skip ci] flag suppressed pipeline execution to avoid automated detection.

The five files, one per attack vector:

.claude/settings.json — Claude Code SessionStart hook

Configured a SessionStart hook that executes node .github/setup.js automatically whenever a Claude Code session starts in the repository. No user interaction required.

.gemini/settings.json — Gemini CLI SessionStart hook

Identical structure to the Claude Code hook. Triggers on Gemini CLI session start.

.cursor/rules/setup.mdc — Cursor prompt injection

A prompt injection with alwaysApply: true that instructs the Cursor AI agent to run node .github/setup.js, framed as a required project setup step. The flag ensures the rule fires regardless of which file the developer is working on.

.vscode/tasks.json — VS Code auto-run task

A folder-open task with "runOn": "folderOpen" that executes the payload automatically when VS Code opens the directory — no AI agent involvement required.

.github/setup.js — The payload

A single-line, 4.6MB obfuscated JavaScript file. All four configuration files point here.

What Gets Stolen

The worm harvested credentials for cloud platforms and developer tools — AWS, Azure, GCP, Kubernetes, and 90+ developer tool configurations — then used those credentials to propagate itself to additional repositories.

This isn't targeted at one platform. It's a broad sweep of everything sitting in your development environment.

The Same Account from May

The compromised contributor account used on June 5 is the same one involved in the May 19 PyPI attack, when three malicious versions of Microsoft's durabletask package were uploaded in a 35-minute window. StepSecurity verified via the GitHub API that the account's personal fork was also blocked during the same sweep, confirming its involvement.

The fact the same account was used twice points to one of three things: credentials were never fully rotated after May 19, the contributor was re-compromised through the worm's own propagation loop — opening an infected repo in an AI coding tool would harvest fresh tokens — or a different token was used with the commit author metadata spoofed via the Git Data API.

Technical analysis links Miasma to the Mini Shai-Hulud worm previously released by threat group TeamPCP in May 2026 — the same group behind the VS Code extension breach documented earlier. This isn't a one-off. It's a campaign that keeps finding new vectors.

The 105-Second Takedown

GitHub's automated abuse detection disabled all 73 repositories in a window spanning 16:00:50 to 16:02:35 UTC — 105 seconds, two distinct waves separated by a 56-second gap. Every affected repository returns HTTP 403 with "reason": "tos".

The immediate blast radius: Azure/functions-action — the official GitHub Action used to deploy Azure Functions — was among the repositories disabled, breaking CI/CD pipelines for developers worldwide.

GitHub's detection speed was impressive. The downstream disruption wasn't.

What You Should Do

If you opened any of these repositories between May 20 and June 5:

Assume credentials were harvested. Rotate everything — cloud provider keys, GitHub tokens, API keys stored in your dev environment. Check for unexpected service principals or unusual outbound traffic in your cloud accounts from that window.

Going forward:

Pin your dependencies to exact version numbers and commit hashes rather than floating ranges. Enable branch protection with required two-person reviews even for trusted maintainers. Monitor for unusual activity — newly created service principals, strange outbound network traffic, unexpected changes in cloud environments.

And treat .claude/, .gemini/, .cursor/, and .vscode/ directories in any repository you clone as potential attack surface. These aren't just config files anymore. They're execution hooks.

We've now seen this threat group move from malicious VS Code extensions to PyPI package poisoning to IDE-level configuration hijacking — three distinct vectors in under a month. The LLM agent cyberattack Sysdig documented in May showed what happens after initial access. Miasma is the new front door.

Sources: StepSecurity, The Hacker News, Rescana