Miasma Wave 3 in 2026: Self-Replicating Worm Hits 73 Microsoft Azure GitHub Repos — AI Coding Agents as the Attack SurfaceMiasma Vague 3 en 2026 : Le Ver Auto-Réplicant Frappe 73 Dépôts GitHub Microsoft Azure — Les Agents IA comme Surface d’Attaque

On June 5, 2026, the Miasma self-replicating worm reached its most high-profile target yet: Microsoft. GitHub disabled 73 repositories across four Microsoft GitHub organizations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — in an automated sweep lasting just 105 seconds. The worm did not arrive through a compromised Microsoft system. It arrived through a developer's workstation, carried inside a repository the developer had recently cloned — and it spread using a mechanism no security team had seen weaponized at this scale: AI coding agent configuration files.

This is Wave 3 of the Miasma campaign. Wave 1 hit 32 Red Hat @redhat-cloud-services npm packages on June 1. Wave 2 hit @vapi-ai/server-sdk and 56 other packages on June 3. Wave 3 — targeting Microsoft — represents a fundamental escalation: from compromising packages that developers install, to compromising repositories that developers open. The attack surface is no longer just your package.json. It is your entire development environment.

Every fact in this article is verified from primary sources. We cover the full attack chain, the PyPI SDK poisoning, the 105-second GitHub response, and the concrete defenses every developer using AI coding tools must implement today.

The Miasma Campaign: Three Waves in Five Days

To understand Wave 3, you need the full picture. Miasma is a variant of the Mini Shai-Hulud worm that the threat actor group TeamPCP publicly released in mid-May 2026. What distinguishes Miasma from earlier Shai-Hulud variants is its dual propagation strategy: it spreads through both the npm registry (package poisoning) and developer workstations (AI agent config poisoning).

How Wave 3 Started: One Compromised Contributor, 73 Repos

The attack began with a single malicious commit pushed to the Azure/durabletask repository — Microsoft's open-source framework for writing long-running orchestration logic in C#, Go, JavaScript, and Python. The commit was authenticated using the credentials of a previously compromised contributor account — not a direct breach of Microsoft's own systems. This reflects the Miasma worm's documented propagation pattern: it collects GitHub tokens from infected developer machines and uses them to commit to any repository the victim can write to. (Source: The Hacker News, June 2026)

The malicious commit introduced configuration files wired to execute a credential-harvesting payload when a developer opens the repository in any of the following tools: Claude Code, Gemini CLI, Cursor, or VS Code — or runs an npm test script. The 4.3 MB Bun-based payload fires automatically via these entry points, with no additional user interaction required beyond opening the project. (Source: StepSecurity)

The Repositories GitHub Disabled

Among the 73 repositories disabled by GitHub's automated response are some of the most widely referenced Azure infrastructure projects on GitHub:

• Azure/durabletask and its implementations: durabletask-dotnet, durabletask-go, durabletask-js, durabletask-mssql
• Azure/azure-search-openai-demo — the reference RAG architecture used by hundreds of Azure AI deployments
• Azure/functions-container-action — the GitHub Action for deploying Azure Functions in containers
• Azure/llm-fine-tuning — Microsoft's open-source fine-tuning reference repo
• MicrosoftDocs/windows-driver-docs — Windows driver documentation with contributor access widely distributed

The most immediately damaging consequence was the disabling of Azure/functions-action@v1, the official GitHub Action used to deploy Azure Functions. Every workflow on GitHub referencing this action stopped resolving immediately. Within hours, a Microsoft Learn Q&A thread opened with 20+ developers reporting broken CI/CD pipelines. (Source: StepSecurity)

The PyPI Vector: durabletask SDK Poisoned May 19

The GitHub repository attack was not the only infection vector. On May 19, 2026, three consecutive malicious releases of Microsoft's Azure Durable Task Python SDK were uploaded to PyPI — versions 1.4.1, 1.4.2, and 1.4.3 — within a 35-minute window using a compromised PyPI publishing token. (Source: Rescana)

The malicious releases contained a lightweight dropper embedded directly into durabletask/__init__.py. On import, the package downloads and executes a remote payload named rope.pyz from attacker-controlled infrastructure. The dropper is designed to be minimal and fast: it only activates if running in a non-container, non-CI environment — specifically targeting developer workstations over CI runners.

The 4.3 MB Payload: What Miasma Steals

The Bun-based payload that Miasma deploys is one of the most comprehensive credential harvesters documented in an npm/PyPI supply chain campaign. According to technical analyses from StepSecurity and Rescana, it targets 90+ developer tool configurations across the following categories:

Cloud Provider Credentials

• AWS: ~/.aws/credentials, ~/.aws/config, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, instance metadata service (IMDS) credentials on EC2
• Azure: ~/.azure/, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, Azure IMDS tokens from Azure VM/Container instances
• GCP: ~/.config/gcloud/, GOOGLE_APPLICATION_CREDENTIALS, GCP metadata server credentials

Developer Platform Credentials

• GitHub: ~/.gitconfig, GitHub personal access tokens, GitHub App tokens stored in environment
• npm: ~/.npmrc, NPM_TOKEN env vars — used immediately for self-propagation
• Kubernetes: ~/.kube/config, service account tokens in /var/run/secrets/
• HashiCorp Vault: ~/.vault-token, VAULT_TOKEN

AI Coding Agent Configurations (New in Miasma)

• Claude Code: ~/.claude/credentials.json, ~/.claude/settings.json, API keys
• Gemini CLI: OAuth tokens, project credentials
• Cursor: authentication tokens, extension data
• VS Code: stored authentication tokens, workspace trust settings
• GitHub Copilot: stored tokens in VS Code settings

After exfiltration, the worm uses any stolen npm token to call the npm registry API, enumerate every package the token can publish, bump the patch version of each, inject the Miasma payload into the new version's preinstall hook, and republish — propagating itself to any developer who subsequently installs that package. (Source: StepSecurity)

GitHub's 105-Second Response: What Happened

GitHub's automated threat detection identified anomalous commits across Microsoft repositories and disabled 73 repositories in a coordinated sweep that lasted 105 seconds from the first disable to the last. The speed of the response reflects GitHub's post-TanStack supply chain playbook — after the May 2026 TanStack incident disabled 84 malicious versions in 6 minutes, GitHub invested in automated repository quarantine capabilities. (Source: The Register, BankInfoSecurity)

The 105-second disable window, however, does not mean zero exposure. Any developer who cloned or opened an infected repository between the time of the malicious commit and the GitHub disables — a window of several hours on June 5 — may have had the Miasma payload execute in their development environment. The worm's propagation to other repositories they maintain could have extended the infection window further.

Scale: Key Statistics

Why AI Coding Agents Changed the Attack Surface

The defining feature of Miasma Wave 3 is not the scale of the compromise — it is the propagation mechanism. Previous supply chain attacks required a developer to install a malicious package. Miasma Wave 3 requires only that a developer opens a repository in an AI coding tool.

This is possible because AI coding agents — Claude Code, Gemini CLI, Cursor, VS Code Copilot — read project files automatically on workspace open. Configuration files like AGENTS.md, .claude/settings.json, .cursor/rules, and similar agent instruction files are parsed and executed as part of the tool's initialization. The Miasma payload plants these files in infected repositories, turning the act of opening a project into an attack trigger. (Source: Rescana, ComplexDiscovery)

This represents a new class of supply chain risk that most organizations have not yet inventoried. According to the CrowdStrike 2026 Global Threat Report, AI supply chain attacks via third-party models have increased 3× since 2022, and AI-enabled adversarial activity overall increased 89% year-over-year. The DTEX 2026 Insider Threat Report found that 73% of organizations worry that unauthorized AI use creates invisible data loss pathways — but most enterprise security policies do not yet address the credential exposure surface created by AI agent configuration files. (Source: CrowdStrike, DTEX)

The Miasma Threat Actor: TeamPCP Lineage

Miasma is assessed as a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. TeamPCP has been attributed to multiple major supply chain campaigns throughout 2025-2026, including the trivy-action poisoning (March 2026, 10,000+ CI/CD pipelines), the LiteLLM PyPI compromise (March 2026, 95M downloads/month), and the CanisterWorm series (March-April 2026). The group consistently targets high-trust packages used in developer tooling and security infrastructure, with a preference for CI/CD pipeline compromise over direct account takeover. (Source: JFrog, Unit 42)

Immediate Actions: Remediation Checklist

If you cloned or opened any of the 73 affected Microsoft repositories between June 5 and June 6, 2026, or if you have the durabletask Python SDK versions 1.4.1–1.4.3 installed, treat the event as a confirmed credential exposure and complete the following steps immediately:

1. Check for malicious durabletask versions

# Check installed version
pip show durabletask

# Safe versions: ≤1.4.0 or ≥1.4.4
# Malicious versions: 1.4.1, 1.4.2, 1.4.3
# Downgrade if affected:
pip install "durabletask==1.4.0"

2. Check AI coding agent config files for tampering

# Check for unexpected files in AI agent config directories
ls -la ~/.claude/
ls -la ~/.cursor/
ls -la ~/.config/gemini/

# Check AGENTS.md and similar files for unexpected content
# The Miasma payload plants configuration files that look legitimate
# but contain execution instructions for AI agents

3. Rotate all credentials in priority order

1. GitHub tokens: Revoke all personal access tokens, regenerate in GitHub Settings → Developer Settings → Personal access tokens
2. npm publish tokens: npm token list then npm token revoke [id] for all tokens
3. AWS credentials: Rotate in AWS IAM console, check CloudTrail for unauthorized API calls
4. Azure credentials: Revoke in Azure Active Directory, check Activity Logs
5. GCP credentials: Revoke service account keys in GCP Console → IAM → Service Accounts
6. Kubernetes: Rotate service account tokens, check for unauthorized workloads
7. AI coding agent tokens: Re-authenticate each tool (Claude Code, Gemini CLI, Cursor)

4. Check for shell persistence

# Check for Miasma persistence in shell RC files
grep -n "bun\|rope\.pyz\|durabletask\|miasma" ~/.bashrc ~/.zshrc ~/.profile 2>/dev/null

# Check for unexpected cron entries
crontab -l 2>/dev/null

# Check for unexpected npm packages published under your account
# (signs that the self-propagation module ran)
npm access list packages --json 2>/dev/null | jq 'keys[]'

5. Audit repositories you maintain for unexpected commits

# Check recent commits across your orgs for unexpected authors
# or commits adding AGENTS.md / .claude / .cursor files
git log --all --oneline --since="2026-06-01" | head -50

# Check for unexpected config files in the repo root
find . -name "AGENTS.md" -o -name ".claude" -type d -o -name ".cursor" -type d | head -20

Defenses for Teams Using AI Coding Agents

Treat AI agent config files as a security surface

Add AGENTS.md, .claude/, .cursor/, .gemini/, and similar AI agent directories to your security scanning inventory. These files are increasingly used as attack vectors because they are processed automatically and often contain instructions executed with elevated trust. Review them in code review like you would review .github/workflows/. (Source: ComplexDiscovery, CSA Labs)

Enable repository cloning alerts in your SIEM

The Miasma payload only fires when a repository is opened in an AI tool — which typically requires a git clone first. If your team's workstations send Git operation logs to your SIEM, you can alert on clones of repositories that are not in your approved dependency list.

Run AI coding tools in sandboxed environments

Container-based development environments (GitHub Codespaces, Devcontainers, VS Code Dev Containers) limit the AI agent's access to your local credential store. The Miasma payload needs access to ~/.aws, ~/.npmrc, and similar local paths. In a container environment, these paths either don't exist or require explicit volume mounting. This is not a complete defense — but it significantly raises the cost of credential harvesting from a developer workstation.

Use npm provenance and lockfile integrity

# Enable lockfile integrity checking
# In package.json:
"scripts": {
  "preinstall": "npm ci --require-lockfile"
}

# For Python: pin exact versions with hashes in requirements.txt
pip install durabletask==1.4.0 --require-hashes \
  --hash=sha256:<hash_of_safe_version>

Frequently Asked Questions

Le 5 juin 2026, le ver auto-réplicant Miasma a atteint sa cible la plus médiatisée à ce jour : Microsoft. GitHub a désactivé 73 dépôts répartis dans quatre organisations GitHub Microsoft — Azure, Azure-Samples, Microsoft et MicrosoftDocs — en 105 secondes seulement. Le ver n'est pas arrivé via une compromission directe des systèmes Microsoft. Il est arrivé par le poste de travail d'un développeur, transporté dans un dépôt que ce développeur venait de cloner — et s'est propagé grâce à un mécanisme jamais vu avant : les fichiers de configuration des agents IA de développement.

C'est la Vague 3 de la campagne Miasma. La Vague 1 a touché 32 packages npm @redhat-cloud-services le 1er juin. La Vague 2 a touché @vapi-ai/server-sdk et 56 autres packages le 3 juin. La Vague 3 — visant Microsoft — représente une escalade fondamentale : plus seulement des packages que les développeurs installent, mais des dépôts que les développeurs ouvrent. La surface d'attaque n'est plus seulement votre package.json. C'est tout votre environnement de développement.

La campagne Miasma : trois vagues en cinq jours

Miasma est une variante du ver Mini Shai-Hulud que le groupe de menace TeamPCP a rendu public mi-mai 2026. Ce qui distingue Miasma des variantes Shai-Hulud antérieures est sa double stratégie de propagation : via le registre npm (empoisonnement de packages) ET via les postes de développeurs (empoisonnement des configs d'agents IA).

Comment la Vague 3 a commencé : un contributeur compromis, 73 dépôts

L'attaque a débuté par un seul commit malveillant poussé dans le dépôt Azure/durabletask — le framework open-source de Microsoft pour les orchestrations longue durée en C#, Go, JavaScript et Python. Le commit utilisait les credentials d'un compte de contributeur préalablement compromis — pas une violation directe des systèmes Microsoft. C'est le modèle de propagation documenté du ver Miasma : il collecte des tokens GitHub sur les machines infectées et les utilise pour commiter dans n'importe quel dépôt accessible en écriture. (Source : The Hacker News)

Le commit malveillant a introduit des fichiers de configuration conçus pour exécuter une payload de vol de credentials quand un développeur ouvre le dépôt dans Claude Code, Gemini CLI, Cursor ou VS Code. La payload Bun de 4,3 Mo s'exécute automatiquement via ces points d'entrée, sans aucune interaction supplémentaire. (Source : StepSecurity)

Les dépôts désactivés par GitHub

Parmi les 73 dépôts désactivés figurent certains des projets d'infrastructure Azure les plus référencés sur GitHub :

• Azure/durabletask et ses implémentations : durabletask-dotnet, durabletask-go, durabletask-js, durabletask-mssql
• Azure/azure-search-openai-demo — l'architecture RAG de référence utilisée par des centaines de déploiements Azure AI
• Azure/functions-container-action — la GitHub Action officielle pour déployer Azure Functions en containers
• Azure/llm-fine-tuning — le dépôt de référence open-source de fine-tuning Microsoft
• MicrosoftDocs/windows-driver-docs — documentation Windows Driver avec accès contributeur largement distribué

La conséquence la plus immédiatement destructrice a été la désactivation de Azure/functions-action@v1, la GitHub Action officielle pour déployer Azure Functions. Tous les workflows GitHub référençant cette action ont immédiatement cessé de fonctionner. En quelques heures, un fil Microsoft Learn Q&A s'est ouvert avec 20+ développeurs signalant des pipelines CI/CD brisés. (Source : StepSecurity)

Le vecteur PyPI : SDK durabletask empoisonné le 19 mai

L'attaque des dépôts GitHub n'était pas le seul vecteur d'infection. Le 19 mai 2026, trois versions consécutives malveillantes du SDK Python Azure Durable Task ont été uploadées sur PyPI — versions 1.4.1, 1.4.2 et 1.4.3 — en 35 minutes via un token de publication PyPI compromis. (Source : Rescana)

Les releases malveillantes contiennent un dropper léger directement intégré dans durabletask/__init__.py. À l'import, le package télécharge et exécute une payload nommée rope.pyz depuis une infrastructure contrôlée par l'attaquant.

Ce que Miasma vole : 90+ configurations d'outils

La payload Bun de 4,3 Mo cible plus de 90 configurations d'outils sur le poste du développeur : credentials AWS (~/.aws/credentials, IMDS), Azure (~/.azure/, IMDS VM), GCP (~/.config/gcloud/), GitHub tokens, npm tokens (utilisés immédiatement pour l'auto-propagation), Kubernetes (~/.kube/config), Vault tokens, et — nouveauté de Miasma — les configurations des agents IA : Claude Code (~/.claude/), Gemini CLI, Cursor, VS Code Copilot. (Source : StepSecurity, Rescana)

Après exfiltration, le ver utilise tout token npm volé pour énumérer chaque package publiable, incrémenter la version patch, y injecter la payload Miasma et republier — se propageant à tout développeur qui installera ensuite ce package.

Statistiques clés

Pourquoi les agents IA ont changé la surface d'attaque

La caractéristique définissante de la Vague 3 n'est pas l'échelle de la compromission — c'est le mécanisme de propagation. Les attaques supply chain précédentes exigeaient qu'un développeur installe un package malveillant. Miasma Vague 3 exige seulement qu'un développeur ouvre un dépôt dans un outil IA.

Cela est possible parce que les agents IA — Claude Code, Gemini CLI, Cursor, VS Code Copilot — lisent les fichiers projet automatiquement à l'ouverture du workspace. Les fichiers de configuration comme AGENTS.md, .claude/settings.json, .cursor/rules sont parsés dans le cadre de l'initialisation de l'outil. La payload Miasma plante ces fichiers dans les dépôts infectés, transformant l'acte d'ouvrir un projet en déclencheur d'attaque. (Source : Rescana, ComplexDiscovery)

Selon le CrowdStrike 2026 Global Threat Report, les attaques supply chain IA ont augmenté de 3× depuis 2022, et l'activité adversariale IA globale a augmenté de 89% en glissement annuel. 73% des organisations craignent que l'utilisation non autorisée de l'IA crée des chemins invisibles de perte de données — mais la plupart des politiques de sécurité d'entreprise ne traitent pas encore la surface d'exposition des credentials créée par les agents IA. (Source : CrowdStrike, DTEX 2026)

Checklist de remédiation immédiate

Si vous avez cloné ou ouvert l'un des 73 dépôts Microsoft affectés entre le 5 et le 6 juin 2026, ou si vous avez installé durabletask Python SDK versions 1.4.1–1.4.3, traitez l'événement comme une exposition de credentials confirmée :

1. Vérifier la version durabletask : pip show durabletask — rétrograder si 1.4.1/1.4.2/1.4.3
2. Révoquer les tokens GitHub : Paramètres → Developer Settings → Personal access tokens
3. Révoquer les tokens npm : npm token list puis npm token revoke [id]
4. Rotation credentials AWS/Azure/GCP : Consoles IAM respectives, vérifier les logs d'activité
5. Re-authentifier les agents IA : Claude Code, Gemini CLI, Cursor
6. Vérifier la persistance shell : grep -n "bun\|rope\.pyz" ~/.bashrc ~/.zshrc
7. Auditer les dépôts que vous maintenez pour des commits inattendus ajoutant des fichiers AGENTS.md ou .claude/

Défenses pour les équipes utilisant des agents IA

Traitez les fichiers de config agents IA comme une surface de sécurité : Ajoutez AGENTS.md, .claude/, .cursor/, .gemini/ à votre inventaire de scanning sécurité. Passez-les en revue de code comme vous le feriez pour .github/workflows/.

Utilisez des environnements de développement en container : GitHub Codespaces, Devcontainers et VS Code Dev Containers limitent l'accès de l'agent IA à votre store de credentials local. La payload Miasma a besoin d'accéder à ~/.aws, ~/.npmrc, etc. — paths qui n'existent pas ou requièrent un montage de volume explicite dans un container.

Activez la vérification d'intégrité des lockfiles : Pinner les hash SHA256 de vos dépendances critiques empêche l'installation de versions malveillantes même si votre gestionnaire de packages tente de les résoudre.

Questions fréquentes