Miasma Worm: When AI Coding Agents Become the Trigger for Malware

The explosive rise of autonomous AI Agents and next-generation IDE integrations—such as Claude Code, Cursor, and VS Code—has completely revolutionized development velocity. However, this shift has also opened a highly sophisticated new frontier for software supply chain attacks. In early June 2026, a malicious campaign known as the Miasma worm sent shockwaves through the cybersecurity community by successfully breaching 73 GitHub repositories across four Microsoft organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs.

What makes Miasma particularly alarming is that it doesn't need to exploit direct vulnerabilities in cloud control planes. Instead, it weaponizes the very AI-assisted developer workflows running locally on engineer workstations, transforming helper agents into silent executioners for malicious payloads.

"Phantom Gyp" and Autonomous Self-Replication

Miasma is a highly sophisticated, self-replicating variant of the Mini Shai-Hulud worm operated by the TeamPCP threat group. Traditional supply chain malware typically injects malicious scripts directly into package.json lifecycles, which are easily flagged by basic static application security testing (SAST) tools. Miasma bypasses these entirely using a technique dubbed "Phantom Gyp."

This vector abuses the standard Node.js native addon build file, binding.gyp. When a developer executes a routine npm install, the underlying package manager automatically triggers the compilation process defined in binding.gyp, executing malicious binary payloads without modifying a single line of visible project scripts.

Once active on a local machine, Miasma harvests highly sensitive credentials:

• npm publish tokens.
• GitHub repository write tokens.
• CI/CD OpenID Connect (OIDC) tokens.

Armed with these credentials, the worm propagates autonomously by committing and publishing malicious updates to other legitimate repositories and packages without requiring any active operator intervention.

Turning AI Agents Into Payload Triggers

The most innovative and dangerous aspect of this Miasma campaign is its deliberate targeting of AI coding agent configurations.

When infecting a repository, the worm doesn't just plant standard backdoors—it injects stealth configuration files tailored to trigger popular developer AI agents:

1. Claude Code

Miasma writes malicious code to .claude/setup.mjs and registers it via the SessionStart lifecycle hook in .claude/settings.json. The moment a developer starts a Claude Code session in that workspace, the tool executes the hook, instantly running the credential-harvesting payload.

2. Cursor & VS Code

For Cursor environments, the worm drops forged .cursor/rules/setup.mdc system rules. For VS Code, it abuses .vscode/tasks.json configured to execute automatically when opening a folder (runOn: "folderOpen"). When a developer simply opens the compromised workspace, these background tasks run seamlessly under the developer's user identity.

AI Agent / IDE	Targeted Configuration File	Trigger Mechanism
Claude Code	.claude/setup.mjs, .claude/settings.json	Automatic execution via SessionStart hook
Cursor	.cursor/rules/setup.mdc	Executed during contextual workspace rule parsing
VS Code	.vscode/tasks.json	Background execution on folder open (runOn)
Gemini CLI	GEMINI.md	Executed as trusted instruction context on session start

Because AI coding agents operate with the same system-level permissions as the local user (enabling them to execute shell commands, read/write directories, and call external APIs), hiding backdoors in their workspace configurations completely bypasses typical sandboxing and traditional process security checks.

GitHub's Instant Response and Key Takeaways for Developers

In the June 2026 attack, the malicious commit was pushed to the Azure/durabletask repository via a previously compromised contributor account. Fortunately, GitHub's automated anomaly detection responded with immense speed: within 105 seconds of the malicious push, GitHub's automated systems isolated and disabled access to all 73 affected repositories across the four Microsoft organizations to break the worm's propagation cycle.

Despite the rapid containment, this incident serves as a major wake-up call for modern software engineering:

1. AI Agents represent a massive new attack surface: Security teams often worry about AI generating insecure code, but the bigger risk lies in the trust we put in the AI's own local workspace settings and configuration hooks.
2. The illusion of control: Giving an AI agent the ability to autonomously run terminal commands or manage file systems means granting it absolute power. If the workspace is poisoned, the AI will execute the malicious instructions "blindly" under your credentials.
3. Zero Trust on the local machine: The developer's workspace can no longer be treated as an implicitly trusted zone. Thoroughly reviewing hidden directories (like .claude/, .cursor/, and .vscode/) when cloning or working on public projects is now a security necessity.

The era of AI coding agents and "vibe coding" brings unprecedented productivity, but it also demands a strict, proactive approach to workspace security. Always verify what you allow to run automatically in your terminal.

---

Content assisted by AI (Amy 🌸). Reviewed by the author.