A self-replicating worm has torn through npm, open-source GitHub repos, and Microsoft's Azure infrastructure, turning AI coding assistants into a new and largely undefended attack surface.
A credential-stealing worm has moved through the npm registry, open-source GitHub repositories, and Microsoft's own Azure infrastructure, exploiting an attack surface most security teams have never considered: your developers' AI coding assistants.
What Happened
On June 5, 2026, the Miasma worm, a self-replicating supply chain malware, compromised 73 Microsoft GitHub repositories across four major organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs.
The attacker used previously stolen contributor credentials to push a malicious commit to the Azure/durabletask repository. That commit introduced configuration files that triggered a credential-harvesting payload the moment a developer opened the repository in an AI coding tool, including Claude Code, Gemini CLI, Cursor, and VS Code. GitHub disabled all 73 affected repositories in a 105-second automated sweep, taking down Azure/functions-action and breaking CI/CD pipelines for developers worldwide.
This was not an isolated incident. The same worm family had already hit the npm registry twice. On June 1, 2026, it compromised 32 packages under the @redhat-cloud-services npm namespace. On June 3, 2026, it simultaneously published 57 malicious packages across 286-plus versions and hit 4 versions of @vapi-ai/server-sdk, hiding the payload trigger inside binding.gyp files to evade standard lifecycle script scanners.
Why This Attack Is Different
Most supply chain defences watch package.json lifecycle hooks. Miasma ignored that entirely.
The npm arm of the campaign used a technique researchers are calling "Phantom Gyp": a 157-byte binding.gyp file triggers code execution during npm install, bypassing security tools that focus on preinstall and postinstall scripts. No lifecycle hook, no alert.
The GitHub repository arm is more alarming still. The malicious commit planted a 4.3 MB payload runner wired to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script. The attack fires when a developer clones one of the affected repos and simply opens it in an AI coding agent. No code needs to run. No dependency needs to be installed. Opening a folder is enough.
As FalconFeeds.io observed, the worm operates entirely within legitimate channels. It does not exploit a vulnerability in npm or GitHub. It exploits the trust model those platforms are built on: the assumption that a package signed with a valid key and published by an authenticated maintainer is safe.
What the Worm Steals and How It Spreads
Once triggered, the damage is broad and self-amplifying. The Bun-based worm harvests credentials for AWS, Azure, GCP, Kubernetes, npm, and GitHub, then propagates automatically by committing itself into any repository the victim's stolen tokens can write to.
On developer machines, the malware steals SSH keys, CLI credentials, and browser and wallet data. In CI/CD environments it scrapes GitHub Actions runner memory for secrets, escalates privileges using passwordless sudo, and republishes poisoned packages with forged SLSA provenance to continue downstream propagation.
Stolen credentials are not sent to a private server. The malware creates a new repository on the fly and uploads the stolen data as encrypted JSON files to a results/ directory on attacker-controlled public GitHub accounts.
The root cause traces back to a single compromised employee. The attackers used valid GitHub credentials and an active session cookie belonging to a Red Hat employee, first exposed in infostealer logs on April 13, 2026. Because the packages were signed through GitHub Actions OIDC, they passed automated trust checks and reached roughly 80,000 weekly downloaders before npm revoked them. Forty-eight days passed between that first credential exposure and the June 1 attack. The session cookie alone, which bypasses multi-factor authentication entirely, was visible for nearly seven weeks.
Who Is Behind It
Miasma is assessed to be a variant of the Mini Shai-Hulud worm that the group TeamPCP publicly released in mid-May 2026. Aikido has linked the same TeamPCP tooling to compromises affecting Mistral, TanStack, Microsoft's Durable Task, PyTorch Lightning, Bitwarden CLI, and Intercom across 2025 and 2026. Because the underlying malware is now open-sourced, more attackers are expected to deploy variants through the second half of 2026. This is not a one-off event. It is the opening of a wider campaign pattern.
What Your Team Must Do Right Now
1. Check your repositories for Miasma indicators. If you have cloned or worked on any open-source Node/TypeScript repository since June 2, 2026, do not open the project folder in your IDE or launch an AI terminal agent in that directory until you have verified it is clean. Look for unexpected .claude/.cursor/, or .gemini/ configuration folders added by commits you did not author.
2. Rotate all credentials that touched affected environments. Rotate npm access tokens, CI/CD secrets, and cloud credentials for AWS, Azure, GCP, and Kubernetes, not just npm and GitHub, for any environment that may have been in the exposure window. This is the guidance Microsoft Defender has issued.
3. Lock down npm install behaviour. Pin known-good package versions and avoid automatic dependency upgrades until validation is complete. Run npm install with --ignore-scripts to disable pre- and post-installation script execution.
4. Audit your dependency tree. Review dependency trees for direct or transitive usage of affected @redhat-cloud-services packages. Identify systems that installed or built affected package versions during the suspected exposure window.
5. Monitor for stolen credentials continuously. The most preventable element of this campaign was the seven-week gap between credential theft and the attack. Continuous dark web and credential intelligence monitoring would have surfaced the Red Hat credentials before any packages were published. If your organisation is not scanning infostealer logs and dark web markets for employee credentials, you are operating blind.
6. Apply a cooldown window to new npm packages in your pipeline. Most malicious packages are identified within hours of publication. A cooldown window for new or updated dependencies creates a safety buffer. All 57 malicious packages across 286-plus versions in the June 3 wave were published in a rolling campaign lasting under two hours, so any PR updating to an affected version during a cooldown period would have been blocked automatically.
The Bigger Picture
The World Economic Forum's Global Cybersecurity Outlook 2026 reports that 65% of large companies now name third-party and supply chain vulnerabilities as their single greatest challenge to cyber resilience, up from 54% the previous year. Miasma is a live demonstration of exactly why. A single stolen browser cookie from one employee, left undetected for seven weeks, cascaded into 73 disabled Microsoft repositories, broken pipelines for developers worldwide, and a credential-harvesting operation targeting every major cloud platform.
The campaign also signals a shift every development team needs to internalise. The attack moved from targeting package installation hooks to targeting editor and AI agent session-start events. AI coding tools are now a primary attack vector. The IDE is the new perimeter.
How 247techify can help
At 247techify, we work with businesses to harden their software supply chains, monitor for compromised credentials before they are weaponised, and lock down CI/CD pipelines against exactly this kind of threat. If your team uses npm, GitHub Actions, or AI coding assistants and you are not certain your developer environments are protected, get in touch with us at https://www.247techify.com/ and let's take a look together.
