What Happened: The Attack in Precise Terms
The attacker gained initial access using previously compromised contributor credentials tied to the Azure/durabletask repository. From that foothold, a single malicious commit — hash 5f456b8 — was pushed. The commit was backdated to 2020, carried a misleading message, and included a [skip ci] flag specifically designed to suppress automated CI/CD pipeline checks.
Critically, no source code was modified. Instead, five configuration files were added:
.claude/settings.json— targeting Claude.gemini/settings.json— targeting Gemini.cursor/rules/setup.mdc— targeting Cursor CLI.vscode/tasks.json— targeting VS Code- An
npmtest script entry
Each file was engineered to trigger automatic execution of a 4.3–4.6 MB obfuscated JavaScript payload — .github/setup.js — the moment a developer opened the repository in a compatible AI coding agent or IDE.
GitHub’s automated enforcement disabled all 73 affected repositories across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations in two waves spanning exactly 105 seconds.
The Payload: Credential Harvesting at Scale
The obfuscated JavaScript payload functioned as a broad-spectrum credential harvester. Upon execution, it extracted credentials across more than 90 developer tool configurations, including:
- Cloud providers: AWS, Azure, GCP
- Orchestration: Kubernetes
- Package registries: npm, GitHub
- Developer tooling: IDE configurations, local token stores
Harvested credentials were then used to commit the worm into any repository accessible by the compromised account. This created an autonomous propagation loop — no human interaction required beyond the initial repository open event.
The attack did not exploit a flaw in GitHub or npm. It exploited trust. Valid credentials, standard commit mechanisms, and legitimate-looking configuration files made the malicious activity indistinguishable from routine maintenance work.
Why AI Coding Agents Changed the Attack Surface
Traditional supply chain defenses are built around a specific threat model: malicious code executing during package installation. Tools like postinstall hooks in npm have been the canonical attack vector for years. Security teams have built detection logic, sandboxing, and policy controls around that assumption.
Miasma invalidates that assumption entirely.
AI coding agents — Claude, Gemini, Cursor, and similar tools — are increasingly used by developers to explore unfamiliar repositories, generate context-aware suggestions, and automate routine tasks. These agents execute configuration files at session start, before any code review or dependency installation occurs. The attack surface is no longer the package registry pipeline. It is the moment a developer opens a folder.
This represents a structural shift. The worm’s propagation was not dependent on a developer running code or installing dependencies. It required only that someone open the repository in a modern development environment. In teams using AI-assisted workflows — which is increasingly the norm — that threshold is trivially low.
Operational Impact and Containment
The immediate operational consequence was the disruption of Azure/functions-action, the official GitHub Action used to deploy Azure Functions. Organizations relying on this action for CI/CD automation experienced widespread pipeline failures. Critical Azure infrastructure and documentation repositories became inaccessible during the containment window.
GitHub’s 105-second automated response was effective at limiting propagation, but the full downstream impact — how many developer environments executed the payload before containment, how many credentials were harvested, how many secondary repositories were reached — remains undetermined at the time of analysis.
The attack timeline reveals deliberate preparation:
- May 16, 2026: Core payload modules authored; C2 domain
git-service[.]comregistered - May 19, 2026: Initial PyPI compromise using the same contributor account; three malicious package versions uploaded in 35 minutes
- June 3, 2026: Second wave of Miasma-themed dead-drop repositories created
- June 5, 2026: Malicious commit pushed to
Azure/durabletask - June 5, 2026, 16:00:50–16:02:35 UTC: GitHub disables 73 repositories in two automated waves
Attribution and Threat Lineage
Technical analysis links Miasma to the Mini Shai-Hulud worm, attributed at medium confidence to the threat group TeamPCP and first observed in a PyPI attack in May 2026. The same compromised contributor account was used in both incidents. Payload similarities are significant, though the absence of unique technical artifacts prevents high-confidence attribution.
The MITRE ATT&CK mapping covers the full attack chain:
- Initial Access: T1078 — Valid Accounts
- Execution: T1059.007 (JavaScript), T1204.002 (Malicious File)
- Defense Evasion: T1562.001 (Disable/Modify Tools), T1036 (Masquerading)
- Credential Access: T1552 (Unsecured Credentials), T1555 (Credentials from Password Stores)
- Lateral Movement: T1098 (Account Manipulation), T1557 (Adversary-in-the-Middle)
- Impact: T1496 (Resource Hijacking), T1489 (Service Stop)
The progression from Mini Shai-Hulud to Miasma suggests an adversary actively iterating on supply chain techniques — moving from package registry hooks toward editor and agent session triggers as primary execution vectors.
What Defenders Must Do Now
The mitigation hierarchy here is not theoretical. Each layer addresses a specific failure mode exposed by this incident.
Critical — Immediate Action Required
Rotate all credentials for any account with access to affected repositories. This includes tokens for AWS, Azure, GCP, Kubernetes, npm, and GitHub. Revoke and reissue all publishing tokens. Invalidate active sessions. Enforce multi-factor authentication for all contributors and maintainers without exception.
Audit repositories for unauthorized commits — specifically those adding configuration files for AI coding agents or containing large, obfuscated JavaScript files. Restore from known-good backups where necessary.
High — Structural Hardening
Review CI/CD pipeline configurations to detect commits that introduce AI agent configuration files or use [skip ci] flags without documented justification. Implement least-privilege access controls and conduct regular contributor access reviews.
Educate development teams on the specific risk of opening untrusted repositories in AI coding agents. Isolated environments for reviewing external code should become standard practice, not an edge-case recommendation.
Medium — Ongoing Vigilance
Monitor for connections to known C2 infrastructure, including git-service[.]com. Watch for repositories following Miasma-themed naming patterns. Engage with GitHub and platform providers on improving automated detection of malicious configuration file commits.
The Broader Signal for AI Tool Adopters
For teams evaluating or already using AI coding agents, this incident introduces a concrete security consideration that belongs in procurement and deployment decisions. AI tools that execute configuration files at session start — without sandboxing, permission prompts, or content inspection — extend the attack surface in ways that traditional security tooling does not yet fully address.
This is not an argument against AI-assisted development. The productivity gains are real and well-documented. It is an argument for treating AI tool configuration as a security-relevant artifact, subject to the same scrutiny as dependency manifests and CI/CD scripts.
The Miasma worm did not require a zero-day. It required a compromised credential, five configuration files, and the assumption that opening a repository is a safe act. In 2026, that assumption no longer holds unconditionally.
Comments (0) No comments yet
Want to join this discussion? Login or Register.
No comments yet. Be the first to share your thoughts!