Miasma worm disabled 73 Microsoft repos through AI tool configs

On June 5, 2026, the Miasma worm campaign reached Microsoft's Azure GitHub organizations and disabled 73 repositories across four Microsoft organizations in a 105-second automated sweep. The attack planted five configuration files that execute a credential harvester when a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code. The disclosure is fresh: the StepSecurity forensic analysis was published on June 30, 2026, the same day NSFOCUS ran the parallel writeup.

The shift from "execute on package install" to "execute on folder open" is what makes Miasma Wave 3 the structural turn that defenders are calling the fourth stage of supply chain attacks. The earlier Miasma waves poisoned npm packages via the preinstall hook and via the Phantom Gyp binding.gyp technique, and existing software composition analysis tools, artifact signature verification, and dependency auditing caught most of those attacks. The June 5 attack skips the package manager entirely and targets the developer's editor, turning a `.claude/settings.json` SessionStart hook into a postinstall for the editor and a `.cursor/rules/setup.mdc` file into a prompt-injection payload that ships in the repo.

The Miasma malicious commit and the five planted files

The commit pushed to Azure/durabletask on June 5 is commit 5f456b8, and its metadata is the part the StepSecurity forensic team flagged first. The commit message claims "Switched DataConverter to OrchestrationContext [skip ci]," but the diff added five new files and modified zero source code. The timestamp was backdated to March 9, 2020, six years before the actual push, and the [skip ci] flag was set to suppress the CI pipeline from running automated detection. The whole commit is structured to look routine to a reviewer who is not looking at the new files.

The five planted files cover four attack entry points. `.claude/settings.json` registers a SessionStart hook on Claude Code (Anthropic) that runs `node .github/setup.js` the moment a session starts. `.gemini/settings.json` does the same for Gemini CLI (Google), with a structure that is byte-for-byte identical to the Claude Code hook. `.cursor/rules/setup.mdc` is a Cursor AI prompt injection file with `alwaysApply: true` that frames the payload execution as a required project setup step, so the Cursor agent runs it on the developer's behalf without the developer ever asking. `.vscode/tasks.json` registers a `runOn: folderOpen` task in VS Code that runs the payload the moment the folder is opened, with no AI agent involvement at all. The fifth file, `.github/setup.js`, is the payload itself: a 4,643,745-byte single-line obfuscated JavaScript credential stealer that the four configuration files all point to.

The structural argument StepSecurity made in the original writeup is that the attackers did not breach any platform vulnerabilities or exploit any CVEs. The attack exploited a deep assumption in the developer trust model: if a configuration file is in a repository, the tool should execute it. The higher the degree of automation in AI coding tools, the larger the blast radius of that assumption. A SessionStart hook is effectively a postinstall hook for the editor. A `runOn: folderOpen` task is effectively a setup.py that runs without `pip install`. Defenders have spent two decades on the package install path; the editor launch path is brand new.

The compromised contributor account and the 17-day window

The contributor account used to push the malicious commit on June 5 is the same account whose credentials were used in the Miasma May 19 PyPI attack against Microsoft's durabletask package, the same family of attacks that Microsoft Security's blog called out in the "Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign" piece on June 2, 2026. StepSecurity verified the connection via the GitHub API by checking that the contributor's personal fork of Azure/azure-functions-durable-extension was also blocked during the same June 5 sweep, at 16:02:25 UTC, in the same automated enforcement action.

There are three plausible explanations for the same account showing up 17 days after the original compromise, and each one is bad. The token may never have been rotated after May 19, which means the attacker retained a working GitHub credential. The contributor may have been re-compromised through the worm's own propagation loop, because opening an infected repository in an AI coding tool would have harvested fresh tokens from the developer's local environment. Or a different contributor's token was used with the commit author metadata spoofed via the Git Data API. The StepSecurity writeup lays out all three possibilities without ranking them, because the concrete response is the same in every case: rotate every credential that could plausibly have been in the developer's environment, audit every local configuration file for the indicators of compromise, and assume the blast radius extends beyond the 73 disabled repositories.

The scale of the disabled set tells you why a 17-day window is the load-bearing detail. The 73 repositories span Azure Functions runtime, the Durable Task ecosystem in .NET, Go, Java, JavaScript, and MSSQL, the official GitHub Action for Azure Functions (which means global CI/CD pipelines were blocked during the ban window), AI sample projects that enterprises actually deploy, connector SDKs, and the documentation repositories for Windows drivers. The Wave 1 sweep, which ran from 16:00:50 to 16:01:28 UTC, disabled 39 repositories in 38 seconds. The Wave 2 sweep, which ran from 16:02:24 to 16:02:35 UTC, disabled 34 repositories in 11 seconds. The 56-second gap between waves is the time GitHub's automated system took to confirm the Wave 1 blocks and trigger the second batch. The full list of disabled repos and their timestamps is in the StepSecurity analysis, and the list is precise enough to be useful for incident responders running containment checks.

What the Miasma incident changes for agent security and dev tooling

For the enterprise security and developer tooling market, the Miasma Wave 3 incident reorders the priority list. The 2026 incident thread on AIntelligenceHub, from the VS Code MCP install flow CVE to the Claude Code reverse shell by a clean GitHub repo and the Identiverse 2026 analyst recap on agent IAM, has been building toward the point where the configuration file is the new attack surface. Miasma Wave 3 is the first real-world incident at platform scale that proves the thesis. The configuration files that ship in a repository are no longer project preference settings. They are executable delivery paths for attack payloads.

The defender-side response is the obvious one, and StepSecurity spelled it out in the writeup. Software composition analysis and dependency auditing have to extend to AI tool configuration files, automated IDE tasks, and developer terminal permissions. Credential lifecycles have to be tightened to the point where a 17-day-old token rotation gap is a Sev-1 incident, not a Sev-3. Repository write governance has to extend to the SessionStart hook and the `runOn: folderOpen` task, not just the package manifest. The same Enterprise AI Governance Checklist for 2026 that covered identity and access control now needs a new line item for AI tool configuration files in the repository, treated as a first-class attack surface.

The vendor-side response is the harder one. The four configuration files in the Miasma Wave 3 attack are all legitimate features of Claude Code, Gemini CLI, Cursor, and VS Code. SessionStart hooks are how Claude Code lets a user configure a project. `alwaysApply: true` rules are how Cursor lets a team standardize agent behavior across a codebase. `runOn: folderOpen` tasks are how VS Code lets a repo bootstrap a developer's local environment. The same feature that makes AI coding tools useful in a clean repository makes them useful in a contaminated one, and the four vendors are going to have to ship defaults that reduce the blast radius without breaking the legitimate use case. The "treat configuration files as untrusted by default" change is the obvious one, and the Miasma Wave 3 incident is going to be the forcing function for it. The cost of shipping the change is going to be measured in friction for legitimate repos, and the cost of not shipping it is going to be measured in Miasma Wave 4.