Opening a repository is now an attack surface. Microsoft learned this the hard way.
Opening a repository is now an attack surface. Microsoft learned this the hard way.
The Miasma supply chain worm did not wait for developers to run code. It executed the moment they opened a repository in their AI coding assistant.
On June 5â6, GitHub disabled 73 repositories across Microsoft’s Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations after the Miasma worm planted malicious configuration files in several repos â starting with Azure’s durabletask project via a compromised contributor account. High-traffic projects like azure-functions-host and azure-search-openai-demo were among those taken offline.
The payload does not live in a package. It lives in a config file. When you open a repository, AI coding tools like Claude Code, Gemini CLI, Cursor, or VS Code automatically read configuration files to understand the project. That is exactly the behavior Miasma exploits. The moment you open the repo, the credential-harvesting payload runs â before you write a single line of code.
The uncomfortable part: this is the 12th confirmed supply chain attack targeting developer environments since January 2026. The worm toolkit behind it â Mini Shai-Hulud â was open-sourced under an MIT license by TeamPCP on May 12. Anyone can fork it.
Next 48 hours: Check .claude/settings.json, .cursorrules, and .vscode/tasks.json in your developer repositories for unexpected entries or scripts. Audit GitHub organization contributor access â the Microsoft compromise started with a single stolen contributor account. Review GitHub Actions OIDC token scopes: limit to specific repositories, not org-wide, to contain blast radius.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
