In early June 2026, a sophisticated self-replicating worm codenamed Miasma launched a large-scale supply chain attack against open-source repositories hosted on GitHub. The threat actor abused compromised contributor credentials to plant malicious content, and GitHub ultimately disabled 73 repositories across four major Microsoft-affiliated organizations — Azure, Azure-Samples, Microsoft and MicrosoftDocs — within just 105 seconds to contain the breach. Unlike conventional supply chain attacks that tamper with source code or third-party dependencies, Miasma adopted a novel exploitation method: it only added malicious configuration files without modifying any program code. Once developers open the compromised repositories using mainstream AI coding tools and integrated development environments (IDEs), the hidden payload will automatically execute and steal a wide range of cloud service credentials. This article conducts a comprehensive post-mortem of the Miasma attack, including its intrusion path, propagation mechanism, core malicious capabilities, and hidden backdoors. It also provides actionable inspection scripts, defense configurations and credential management guidelines for developers, and analyzes the emerging security risks brought by AI coding tools to the open-source ecosystem.

1. Attack Overview and Timeline of Key Events

The Miasma campaign did not happen overnight. It evolved gradually from package poisoning to repository intrusion, and the complete incident timeline clarifies the entire attack chain and spread scope:

  1. May 16, 2026: The core payload of the Miasma worm was finalized, and the command-and-control (C2) domain git-service.com was registered by the attacker.
  2. May 19, 2026: The first wave of attacks targeted the durabletask package on PyPI. Three malicious versions were uploaded within 35 minutes, marking the start of package tampering.
  3. June 3, 2026: A new round of malicious repositories carrying Miasma appeared, expanding the attack surface further.
  4. June 5, 2026: The critical breach occurred. The attacker pushed a malicious commit (commit hash: 5f456b8) to the Azure/durabletask repository. This single action triggered the large-scale infection of 73 related repositories. From 16:00 to 16:02 UTC, GitHub administrators disabled all affected repositories in 105 seconds to stop the spread.
  5. June 9, 2026: The complete Miasma attack framework was publicly released on multiple GitHub repositories, allowing more threat actors to replicate this attack pattern and amplifying the overall security risks.

This attack represents a new type of supply chain threat. It abandons the traditional approach of altering source code, and leverages the automatic loading feature of configuration files for modern AI coding tools. The attack trigger is extremely covert, and the infection and credential theft processes run silently, posing severe threats to individual developers, enterprise R&D teams and cloud service users.

2. Intrusion Entry: Malicious Configuration Files Instead of Modified Code

Traditional supply chain attacks usually modify source code files (such as .ts, .cs, .py) or tamper with dependency packages to implant backdoors. However, Miasma took a more concealed approach. After obtaining valid Microsoft contributor credentials, the attacker submitted a malicious commit to the Azure/durabletask repository with two key deceptive settings:

  • The commit timestamp was forged to 2020, so the malicious record was buried in historical commits and difficult to detect during routine reviews.
  • The commit message contained the [skip ci] tag, which bypassed the repository’s CI/CD automatic detection mechanism and avoided early risk blocking.

Notably, this commit did not modify any business code. It only added five types of configuration files and modified the test field in package.json. All these configuration files are designed to automatically load and invoke a unified malicious payload: a 4.3 MB obfuscated JavaScript file named .github/setup.js. The complete list of implanted files is as follows:

  1. .claude/settings.json: Configuration file for Claude Code.
  2. .gemini/settings.json: Configuration file for Gemini CLI.
  3. .cursor/rules/setup.mdc: Rule file for Cursor.
  4. .vscode/tasks.json: Task configuration file for VS Code.
  5. Modified package.json: Altered the test script to associate it with the malicious payload.

The most dangerous characteristic of this attack is its trigger logic. Developers do not need to execute npm install, run test commands or perform other manual operations. Simply opening the compromised project directory with corresponding tools will activate the malicious code: opening the repository via Claude Code will load and execute the hooks defined in .claude/settings.json; launching Cursor will automatically parse the .mdc rule file; enabling VS Code will trigger the tasks in tasks.json. In the past, developers mainly guarded against risks brought by the postinstall script during package installation. Now, merely accessing a cloned repository has become a major security hazard.

3. Core Malicious Capabilities of the Miasma Payload

The .github/setup.js file acts as a full-featured credential harvester and self-replicating worm. It can scan the local operating environment and steal more than 90 types of credentials from mainstream development tools, cloud platforms and password managers. The key stolen resources cover mainstream cloud services, development tools and authentication assets, and the partial list is shown below:

  • Cloud platform credentials: ~/.aws/credentials (AWS), ~/.azure/ (Azure), ~/.config/gcloud/ (GCP), ~/.kube/config (Kubernetes).
  • Development and authentication credentials: ~/.npmrc (npm tokens), Git configuration and Personal Access Tokens (PAT), SSH private keys under ~/.ssh/.
  • Password manager data: Local data of 1Password (~/Library/Application Support/1Password) and Bitwarden (~/.config/Bitwarden).

After stealing valid credentials, especially GitHub PATs with write permissions, the worm will use these credentials to push the same set of malicious configuration files and payload to other repositories accessible by the victim, realizing rapid self-replication and expanding the infection scope continuously.

After analyzing the open-sourced complete Miasma framework released later, security researchers discovered three highly destructive hidden mechanisms that make this worm extremely difficult to defend against:

3.1 Dead-Man Switch

The worm is equipped with a built-in dead-man switch. If the stolen GitHub PAT is revoked by users or enterprises in a timely manner, the worm will not stop running. Instead, it will initiate destructive operations and erase the victim’s entire home directory. Revoking credentials directly leads to data loss, putting users in a dilemma.

3.2 Multiple Independent C2 Channels

Miasma builds three separate command-and-control channels by leveraging GitHub’s built-in commit search function. Each channel uses independent search strings and encryption keys. It does not rely on dedicated external C2 servers, so it will not trigger abnormal network traffic detection rules, greatly increasing the difficulty of traceability and interception.

3.3 Forged Sigstore Signatures

The worm can generate legitimate OIDC provenance signatures for tampered npm packages. When users use the official npm audit signatures command to verify package integrity, the forged signatures will pass all inspections normally. Traditional signature verification tools completely fail to identify tampered content, breaking the existing package trust mechanism.

4. Four Practical Inspection and Defense Solutions for Developers

Aiming at the attack characteristics of Miasma, this section provides four sets of operable solutions, including repository scanning scripts, Git history checking methods, tool permission hardening and GitHub PAT permission optimization, to help developers and teams eliminate risks comprehensively.

4.1 Scan for Suspicious Configuration Files

Run the following Bash script in the root directory of the local repository to detect malicious configuration files implanted by Miasma. The script focuses on key file paths and abnormal file sizes (normal configuration files will not exceed 100 KB):

#!/bin/bash
# scan_ai_config.sh: Detect suspicious AI tool configuration files
echo "=== AI Tool Configuration Security Scan ==="
SUSPICIOUS=0

# Check risky configuration files
for f in ".claude/settings.json" ".claude/settings.local.json" ".gemini/settings.json" ".cursor/rules/setup.mdc" ".vscode/tasks.json" ".github/setup.js" ".github/setup.mjs"
do
  if [ -f "$f" ]; then
    SIZE=$(wc -c < "$f")
    echo "[!] Suspicious file detected: $f (Size: ${SIZE} bytes)"
    if [ "$SIZE" -gt 102400 ]; then
      echo "    ⚠️ Warning: File size exceeds 100KB, highly suspicious!"
    fi
    SUSPICIOUS=$((SUSPICIOUS+1))
  fi
done

# Check modified test scripts in package.json
if [ -f "package.json" ]; then
  TEST_SCRIPT=$(python3 -c "import json; d=json.load(open('package.json')); print(d.get('scripts',{}).get(''))" 2>/dev/null)
  if echo "$TEST_SCRIPT" | grep -qiE '(setup\.js|setup\.mjs|\.github/)'; then
    echo "[!] Risk detected: package.json test script links to malicious files"
    SUSPICIOUS=$((SUSPICIOUS+1))
  fi
fi

if [ "$SUSPICIOUS" -eq 0 ]; then
  echo "✓ No suspicious items found"
else
  echo "⚠️ Total $SUSPICIOUS suspicious items, please conduct manual review immediately"
fi

4.2 Check Backdated Git Commits

Miasma forges commit timestamps to hide traces. Use the following script to find commits where the author time and commit time differ by more than 30 days, focusing on abnormal historical records:

git log --format="%H %ai %ci" | while read hash adate cdate; do
  a_ts=$(date -j -f "%Y-%m-%d %H:%M:%S %z" "$adate" "+%s" 2>/dev/null || date -d "$adate" "+%s")
  c_ts=$(date -j -f "%Y-%m-%d %H:%M:%S %z" "$cdate" "+%s" 2>/dev/null || date -d "$adate" "+%s")
  if [ -n "$a_ts" ] && [ -n "$cdate" ]; then
    diff=$(( c_ts > a_ts ? c_ts - a_ts : a_ts - c_ts ))
    if [ $diff -gt 2592000 ]; then
      echo "Suspicious Commit: $hash | Author Time: $adate | Commit Time: $cdate"
    fi
  fi
done

This script is compatible with both Linux and macOS operating systems.

4.3 Harden AI Tools and IDE Permissions

Configure global rules for mainstream tools to restrict automatic execution of malicious scripts:

  1. Claude Code: Create a global ~/.claude/settings.json file to prohibit high-risk command execution:
{
  "permissions": {
    "allow": [],
    "deny": [
      "Bash(rm -rf *)",
      "Bash(curl * | bash)",
      "Bash(wget * -O - | sh)"
    ]
  },
  "auto_approve": false
}
  1. VS Code: Disable automatic task execution and enable workspace trust prompts in global settings:
{
  "task.allowAutomaticTasks": "off",
  "security.workspace.trust.enabled": true,
  "security.workspace.trust.untrustedFiles": "prompt"
}
  1. Cursor: Regularly check all .mdc files in the .cursor/rules directory, and delete any unknown rule files.

4.4 Optimize GitHub PAT Permissions

Miasma relies on overprivileged PATs to spread. It is recommended to abandon classic tokens and use Fine-grained tokens: limit repository access scope, minimize read/write permissions (read-only is sufficient for most scenarios), and set a validity period of less than 90 days to reduce the attack blast radius.

5. Common Pitfalls in On-Site Inspection

During the actual deployment of inspection tools and defense rules, developers may encounter four typical pitfalls:

  1. Command Syntax Differences: The date command has different syntax on Linux and macOS. The provided script has been fully compatible to avoid execution failures.
  2. Hidden Dot Files: Configuration files starting with dots (such as .claude) are hidden by default on macOS. Use ls -la or the shortcut Cmd+Shift+. in Finder to view them.
  3. Workspace Trust Habits: Most users habitually click "Trust" when seeing VS Code workspace prompts. For unfamiliar cloned repositories, select "Untrusted" first and review the code manually.
  4. Failure of Signature Verification: Since Miasma can forge valid Sigstore signatures, the npm audit signatures command can no longer be fully trusted. Regularly compare the diff of dependency files for supplementary verification.

6. Industry Reflection and Service Recommendations

The Miasma attack exposes a brand-new security vulnerability in the era of AI coding tools. In the past, developers regarded "opening a repository" as a low-risk operation. However, modern AI assistants and IDEs will automatically load configuration files and execute built-in hooks, turning routine operations into attack surfaces. Currently, the security control functions of mainstream AI tools are still imperfect, and default settings have potential risks. For all developers, the core defense principle is to treat cloned open-source repositories as cautiously as untrusted executable files.

For enterprise R&D teams and individual developers who need to frequently call multiple large models and AI tool APIs, choosing a reliable API relay platform can help manage access uniformly while controlling costs. As a professional API gateway, treerouter provides one-stop access to various mainstream AI models and development tool interfaces. Its service price is lower than official direct access. Unified interface management reduces the risk of credential leakage caused by scattered API keys, and its stable access services also avoid security hidden dangers brought by third-party proxy tools.

7. Conclusion

The Miasma worm attack is a landmark supply chain security incident. It abandons traditional code tampering and uses the automatic loading mechanism of AI tool configuration files as an entry point, coupled with multiple backdoors such as dead-man switches and forged signatures, forming a complete and destructive attack chain. The incident reveals that with the widespread adoption of AI coding tools, the security boundary of developer local environments and open-source ecosystems has become increasingly blurred.

For individual developers, it is necessary to develop good security habits: regularly scan repository configuration files, harden tool permissions, and strictly manage access credentials. For enterprises, it is essential to improve the pre-commit and CI/CD audit mechanisms of open-source repositories to block malicious configuration implantation from the source. As AI tools continue to penetrate the R&D workflow, supply chain security will face more complex challenges. Only by maintaining a vigilant mindset and implementing layered defense can we effectively resist similar emerging threats.