Last week, Miasma hit 73 of Microsoft's own GitHub repositories. azure-search-openai-demo. durabletask. functions-container-action. Reference architectures and foundational libraries that thousands of real teams actually use. GitHub disabled them all in an automated 105-second sweep on June 5.
That was bad. What happened on June 9 is worse.
An unknown actor dropped the full Miasma worm toolkit publicly on GitHub. The same code behind one of the largest supply chain attacks in recent memory is now freely downloadable. The barrier to running this attack dropped from "sophisticated multi-stage supply chain team" to "anyone with a GitHub account and the willingness to aim it."
Here's what this is, and what your team needs to do today.
What Miasma actually does
Miasma is a self-replicating worm. Not a malicious package you accidentally install. Not a phishing link someone clicks. A worm that spreads on its own — using your credentials — into every repo your GitHub token can write to.
The infection starts when a developer clones an already-infected repository and opens it in an AI coding tool. Miasma plants configuration files that look like normal project setup:
.claude/settings.json— a startup hook that fires when the project opens.cursor/rules/setup.mdc— rules Cursor loads automatically on project open.gemini/settings.json— configuration injected into Gemini CLI- Equivalents for VS Code, Windsurf, and nine other AI tools in the now-public toolkit
These files execute the moment you open the project. No install step. No permission prompt. You clone a repo, open it in your AI coding tool, and the payload runs.
The payload does two things. First, it sweeps your machine for credentials: AWS keys, Azure service principals, GCP service accounts, GitHub tokens, Kubernetes secrets, npm publish tokens, SSH keys, anything in environment variables or shell history. It validates them against live APIs — it's checking what's still active — then exfiltrates the working ones.
Second, it uses those stolen GitHub tokens to commit copies of itself into every repository you can write to. That's the self-replication part. One developer on your team gets hit, and suddenly your entire org's GitHub footprint is a distribution network for the worm.
Why the Microsoft breach matters to your 10-person team
You might think: we're not Microsoft. This isn't our problem.
The repos Miasma infected aren't obscure internal tools. azure-search-openai-demo is the reference architecture that thousands of teams use as a starting point for Azure RAG applications. durabletask is a foundational Azure Functions library. If anyone on your team cloned these repos in the last two weeks and opened them in a coding tool, your credentials may already be gone.
Miasma has been spreading since May 29. GitHub's June 5 sweep caught the Microsoft repositories and made headlines. But the campaign also hit 32 Red Hat npm packages and 286+ npm package versions across other maintainers in the same window. The Microsoft story got the attention. The actual footprint is much wider.
And now the toolkit is public. Whatever the threat level was on June 5, it's materially higher today.
The persistence problem
Here's the part that changes how you respond: the worm was built to survive credential rotation.
After stealing your tokens, it leaves hooks in your AI coding agent config files that execute on every future session. Even after you rotate your GitHub token, the hook is still there. If a developer reopens an infected project without first cleaning it, the new credentials get harvested too.
This means the correct sequence is: find and remove injected config files first, then rotate credentials. In that order. Rotating first without cleaning up the hooks is just generating fresh material for the attacker.
What to check right now
If anyone on your team uses AI-assisted coding tools and clones repos from GitHub, these are the immediate steps.
Audit your project directories. In any recently cloned repositories, look for:
.claude/directories containingsettings.jsonorsetup.mjsyou didn't create.cursor/rules/files you didn't write.gemini/settings.jsonyou didn't add- Unexpected
.mcp.jsonfiles or changes to existing ones
Anything you find there that you didn't put there — treat that developer machine as compromised.
Rotate these credentials, in this order:
- GitHub personal access tokens and fine-grained tokens
- AWS access key IDs and secrets
- Azure service principal credentials
- GCP service account keys
- npm publish tokens
- Kubernetes contexts and service account tokens
Revoke the old ones first, then generate new ones. The worm validated your credentials against live APIs — assume the attacker has an active copy of whatever was working.
Check your own repositories. Look through your org's repos for unexpected commits in the last two weeks, especially commits that added .claude/, .cursor/, .gemini/, or .mcp.json config files. If you find any you didn't put there, the account that committed them was likely compromised and used as a propagation vector.
Restrict auto-execution in your AI coding tools. Cursor, VS Code, and most AI coding agents let you require approval before executing hooks from project-level config files. Enable that. It adds one extra click. It breaks this attack entirely.
Pin your GitHub Actions. If you have CI/CD workflows that reference third-party GitHub Actions, pin them to full commit SHAs instead of version tags. Miasma propagates through Actions configurations, and tag-based references mean a compromised upstream can push malicious code into your pipeline without changing the version number you're watching.
The bigger picture
This is the fourth major wave from the same threat group in two months: Mini Shai-Hulud via PyTorch Lightning in April, the Nx Console breach that hit GitHub, OpenAI, Grafana, and Mistral in May, TrapDoor's npm campaign in late May, and now Miasma's Microsoft repos in June.
What changed with yesterday's open-source release isn't the sophistication of the toolkit — it's the scale of who can now run it. Previously this required a coordinated team capable of multi-stage supply chain attacks. Now it requires the ability to follow a README.
The attack surface is exactly the tools small dev teams have been adopting fastest: AI coding agents that read project directories and execute startup hooks to make onboarding easier. Those same hooks are now a documented, freely available exploitation surface.
Small dev teams aren't being targeted because attackers hate them specifically. They're being targeted because they move fast, give AI tools broad access to their development environments, and rarely have anyone whose full-time job is checking whether the config files in a cloned repo are what they're supposed to be.
This is something we help teams get on top of quickly — auditing your AI tooling setup, locking down the execution surface, and setting up the right monitoring so you're not finding out about compromises six days later in the news. If you've been meaning to do a security review of how your team uses AI coding tools, this week is a good week to start.