Summary of Major Developments
- 73 Microsoft repositories disabled June 5, 2026: GitHub disabled 73 repositories across four Microsoft GitHub organisations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — on June 5, 2026, following the discovery of malicious commits introduced by the Miasma supply chain worm. GitHub’s automated mitigation systems completed the containment sweep in 105 seconds. The initial compromise vector was a malicious commit pushed to the Azure/durabletask repository using credentials from a previously compromised Microsoft contributor account.
- Attack targets AI coding tools as the trigger: Miasma’s attack mechanism is architecturally novel: rather than exploiting package installation hooks that conventional security tools monitor, the worm plants configuration files that execute a credential-harvesting payload when a developer opens the affected repository in an AI coding tool or IDE. The targeted tools are Claude Code, Gemini CLI, Cursor, and VS Code — the four most widely used AI-assisted development environments in enterprise engineering teams. The attack exploits the trust that developers place in repository-level configuration files within these tools.
- Self-replicating campaign running since June 1: Miasma is a self-replicating worm campaign that began on June 1, 2026, with the compromise of 32 packages under the @redhat-cloud-services npm namespace. On June 3, a second wave compromised 57 packages across the npm registry using a ‘Phantom Gyp’ technique — abusing binding.gyp files to trigger code execution during npm install, bypassing most security checks. The June 5 Microsoft GitHub breach represents the third and most visible escalation of a campaign that has been actively evolving its attack techniques daily.
Technical Breakdown: How Miasma Works and Why It Is Dangerous
Miasma’s technical architecture represents a deliberate evolution beyond the supply chain attack patterns that the security industry has built defences against over the past five years. The npm supply chain attacks that defined the threat landscape from 2021 to 2025 — including the xz-utils backdoor and multiple malicious package campaigns — primarily exploited package installation lifecycle hooks: preinstall and postinstall scripts that run automatically when a developer executes npm install. Security tools developed in response to those attacks specifically monitor install-script execution, making preinstall and postinstall hooks an increasingly detected attack surface.
Miasma’s Phantom Gyp technique bypasses this detection layer entirely. The binding.gyp file — a 157-byte native addon build configuration file — triggers code execution during the npm install process through the node-gyp native build pipeline, which security monitoring tools typically treat as a trusted system operation rather than a potentially malicious script. The payload that binding.gyp triggers is a credential harvester that exfiltrates authentication tokens, cloud platform credentials, and developer tool session tokens to attacker-controlled dead-drop repositories. StepSecurity identified the primary exfiltration account as liuende501, which holds 236 dead-drop repositories used to store stolen credentials.
The June 5 GitHub repository attack introduces a second, qualitatively different attack vector. Instead of targeting the package installation stage, this vector targets the repository opening stage within AI coding environments. When a developer opens an affected repository in Claude Code, Gemini CLI, Cursor, or VS Code, the malicious configuration files planted by Miasma execute automatically as part of the tool’s workspace initialisation sequence. Claude Code, Gemini CLI, and Cursor — unlike traditional IDEs — routinely execute agentic actions on behalf of developers, including reading files, running commands, and making network requests. A credential-harvesting payload that executes within one of these tools has access to the same credentials and network permissions as the developer’s own session.
GitHub’s 105-second automated containment response represents the fastest published large-scale repository mitigation in GitHub’s history. The speed of containment was made possible by automated telemetry systems that detected the anomalous commit pattern across multiple repositories simultaneously and triggered an automated sweep without requiring human review. However, the 105-second response window — while fast by historical standards — is sufficient for the Miasma payload to harvest and exfiltrate credentials from any developer who opened an affected repository during that window. The damage from a credential compromise occurs in seconds; the repository disabling addresses the propagation vector but not the credentials already stolen.
| Attack Wave | Date | Vector | Scale | Target Tools | Mitigated By |
| Wave 1 — RedHat npm | June 1, 2026 | Preinstall hook in 32 @redhat-cloud-services packages | 60+ package versions compromised | npm install (any tool) | Wiz identification; npm package removal |
| Wave 2 — Phantom Gyp npm | June 3, 2026 | binding.gyp file triggers code in node-gyp pipeline | 57 packages, 286+ malicious versions in <2 hours | npm install (bypasses conventional monitoring) | StepSecurity / JFrog analysis; npm package removal |
| Wave 3 — GitHub direct injection | June 3-5, 2026 | Malicious commit via stolen Microsoft contributor PAT | 73 Microsoft repos across 4 GitHub orgs | Claude Code, Gemini CLI, Cursor, VS Code (workspace init) | GitHub automated sweep — 105 seconds |
| Direct repo injection (non-npm) | June 3-5, 2026 | Malicious commit to mantine-datatable and 4 related repos | 5 repositories directly compromised | Developer IDEs on repo open | Security researcher identification |
Commercial and Enterprise Market Impact
The Miasma attack’s specific targeting of Claude Code, Gemini CLI, Cursor, and VS Code is the most commercially significant element of the campaign for enterprise technology leadership. These four tools collectively represent the AI-assisted development infrastructure of the majority of enterprise engineering teams in 2026. Claude Code is deployed in production CI/CD pipelines at over 1,000 enterprise accounts spending more than $1 million annually with Anthropic. Gemini CLI is integrated into Google Cloud development workflows. Cursor has captured significant market share among individual developers and small engineering teams. VS Code remains the most widely deployed IDE in enterprise environments globally.
The attack’s mechanism — exploiting the trust model of repository-level configuration files within AI coding environments — exposes a structural vulnerability in how enterprises think about AI coding tool security. Traditional IDE security models assumed that opening a repository in an editor was a passive, read-only action. AI coding environments like Claude Code and Gemini CLI are designed to take actions, not just read code — and Miasma exploits exactly this architectural shift. An AI coding agent that automatically executes workspace configuration on repository open is, by design, doing something that conventional IDEs did not do. Security policies and tool configurations that were appropriate for traditional IDEs require revision for AI coding environments.
“Miasma is the first supply chain attack that treats AI coding agents as the attack surface rather than the package manager. Every enterprise engineering team needs to review their Claude Code, Gemini CLI, and Cursor workspace security configurations this week. The question is not whether your packages are safe — it is whether your AI coding tools will execute arbitrary code when you open a repository.” — Principal Security Engineer, enterprise software company, June 2026
“The 105-second GitHub response is impressive and insufficient simultaneously. GitHub’s automation contained the propagation vector in under two minutes. But any developer who opened an affected repository in Claude Code or Cursor during the period between the malicious commit and the takedown had their credentials harvested before the mitigation ran. The damage assessment for this attack depends entirely on how many developers hit that window.” — Cybersecurity Analyst, enterprise threat intelligence, June 2026
Frequently Asked Questions
What is the Miasma worm and how does it spread?
Miasma is a self-replicating supply chain malware campaign active since June 1, 2026. It has used three distinct attack vectors: malicious npm packages with preinstall hooks (Wave 1, June 1), malicious binding.gyp files that trigger code execution during npm install without using standard install hooks — a technique called Phantom Gyp (Wave 2, June 3), and direct malicious commits to GitHub repositories via stolen contributor credentials that execute credential-harvesting payloads when a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code (Wave 3, June 3-5). It is a variant of the Mini Shai-Hulud worm publicly released by TeamPCP in mid-May 2026.
Are Claude Code and Gemini CLI users at risk from Miasma?
Developers who opened any of the 73 disabled Microsoft GitHub repositories in Claude Code, Gemini CLI, Cursor, or VS Code between the time of the malicious commit and GitHub’s automated takedown on June 5 may have had credentials harvested. GitHub has disabled the affected repositories, eliminating the propagation vector. Developers who use these tools should audit their credential stores for the period June 3-5, rotate any credentials that may have been exposed, and review their AI coding tool workspace security settings to restrict automatic execution of repository configuration files. The specific repositories affected were across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs GitHub organisations.
What should enterprise engineering teams do right now?
Four immediate actions: First, audit whether any team members opened repositories from the Azure, Azure-Samples, Microsoft, or MicrosoftDocs GitHub organisations between June 3-5 using Claude Code, Gemini CLI, Cursor, or VS Code — if so, treat those developer credentials as potentially compromised. Second, rotate all GitHub Personal Access Tokens, cloud platform credentials, and developer tool session tokens for affected developers. Third, review AI coding tool workspace security settings to restrict or audit automatic execution of repository-level configuration files. Fourth, update security monitoring to detect binding.gyp-triggered execution in npm install processes, which conventional monitoring tools may not flag. StepSecurity and JFrog have published detailed technical analyses of the Miasma campaign.
Sources
The Hacker News. (2026, June 6). Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack. https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html
StepSecurity. (2026, June 5). Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp. https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm
Rescana. (2026, June 6). Miasma Worm Supply Chain Attack: 73 Microsoft GitHub Repositories Compromised via AI Coding Tools. https://www.rescana.com/post/miasma-worm-supply-chain-attack-73-microsoft-github-repositories-compromised-via-ai-coding-tools
Windows Forum. (2026, June 6). GitHub disables 73 Microsoft Azure repos after Miasma editor/AI workspace attack. https://windowsforum.com/threads/github-disables-73-microsoft-azure-repos-after-miasma-editor-ai-workspace-attack.423398/
BackBox.org / The Hacker News. (2026, June 6). Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack. https://news.backbox.org/2026/06/06/miasma-worm-hits-73-microsoft-github-repositories-in-major-supply-chain-attack/
SafeDep. (2026, June 5). Miasma Worm Targets AI Coding Agents via GitHub Repos. https://safedep.io/miasma-worm-ai-coding-agent-config-injection/
The CyberSec Guru. (2026, June 5). Miasma Worm Targets AI Coding Agents: 73 Repos Disabled. https://thecybersecguru.com/news/miasma-worm-targets-ai-coding-agents-github-microsoft/
