From Open Source to Microsoft in One Hop
The Miasma supply chain worm, which first surfaced in Red Hat npm packages and then spread to 57 additional packages with 647,000 monthly downloads, escalated in June 2026 to a new target class: Microsoft's own GitHub infrastructure. A recompromised contributor account — an individual who had legitimate commit access to Azure repositories — pushed malicious commits into Azure's durabletask repository, a core component of Azure's Durable Functions framework.
The compromised commits did not modify application code. They planted configuration files — .cursorrules, .claude directory structures, VS Code workspace settings — designed to execute credential-harvesting payloads when the repository is opened in an AI coding agent or an IDE with AI integration. The attack targets the moment a developer or an automated agent clones the repository and opens it in their development environment.
AI Agent Config Files as Attack Vectors
The Miasma worm's strategy against Microsoft reveals a new supply chain attack pattern: targeting the configuration files that AI coding agents read on startup. When Claude Code opens a repository, it reads .claude/settings.json and CLAUDE.md. When Cursor opens a repository, it reads .cursorrules. When Gemini CLI initializes, it reads similar configuration files. These files can contain instructions, tool configurations, and in some cases, executable hooks.
By planting malicious configuration files in trusted Microsoft repositories, the Miasma worm created a payload delivery mechanism that activates not when code is compiled or executed, but when a repository is merely opened. The distinction matters. Code review catches malicious application code. Configuration files in trusted repositories receive less scrutiny — they are expected to be there, and their contents are often treated as non-executable.
The Broader Shai-Hulud Campaign
The Microsoft compromise is one front in the larger Shai-Hulud campaign, which has distributed 300+ malicious package versions across 57 npm packages. The campaign operates through recompromised contributor accounts — individuals whose credentials were previously stolen and who have since regained access but whose tokens or session cookies remain in circulation. The worm reactivates dormant access rather than creating new accounts.
GitHub's automated enforcement systems detected the malicious commits and disabled all 73 affected repositories in a 105-second sweep. The speed of the response reflects improvements in GitHub's automated malware detection. But the 105-second window still represents a period during which any developer or AI agent that cloned one of the affected repositories would have received the malicious configuration files.
What This Means for Enterprise Development
The compromise of Microsoft's own repositories demonstrates that organizational trust is not repository trust. Microsoft maintains thousands of GitHub repositories with hundreds of contributors. Each contributor account is an entry point. Each configuration file is a potential payload container. The Miasma worm found one account, planted files in one repository, and the blast radius extended to 73 repositories across four organizations before automated systems intervened.
For organizations using AI coding agents in development workflows, the Miasma campaign establishes that repository configuration files are a security-critical surface. Agent configuration should be verified against known-good baselines before execution. Repositories from trusted organizations still require integrity checks on configuration files — particularly files that AI agents process automatically on initialization.
