Miasma Worm Hijacks AI Coding Agents via GitHub Repos

Researchers at SafeDep confirmed the worm wires execution hooks into developer tooling configuration files. Clone the repo, open it in a supported tool, and the hook fires. Five paths trigger execution: Claude Code, Gemini CLI, Cursor, VS Code workspace tasks, and npm test scripts. The AI-agent vectors expand reach, but any developer running npm test after cloning an infected repo is equally exposed.

When we cloned a copy of the SafeDep proof-of-concept in an isolated VM, the hook fired within two seconds of running code . - before any project files finished rendering in the editor sidebar. No network alert fired. No antivirus flagged the event.

This attack class sits inside a broader epidemic. Sonatype's 2026 State of the Software Supply Chain Report counted more than 454,600 new malicious open-source packages across npm, PyPI, Maven Central, NuGet, and Hugging Face in 2025 alone - a 75% year-over-year jump, bringing the cumulative blocked total past 1.233 million packages. Miasma is the latest and most technically sophisticated entry in that trend.

How Does Miasma Stay Invisible to Scanners?

Miasma forges SLSA provenance signatures to pass npm audit checks, then routes its command-and-control traffic through GitHub itself, blending with normal repository API activity. Phoenix Security confirmed that zero CVEs have been assigned across the entire campaign, and every standard scanner has returned clean results throughout.

That is not stealth that buys hours. It has bought weeks. The campaign has been running since June 1, 2026, with the threat actors rotating delivery mechanisms every 48 to 72 hours to stay ahead of reactive signatures. Signature-based scanners have nothing to match against. Behavioral detection is the only viable layer.

Phoenix Security's first-half 2026 analysis puts this in sharper context: the first six months of 2026 produced 37 distinct supply chain attack campaigns and 497 indexed malicious packages - 2.6 times the campaign count and 4.5 times the package volume of all of 2025. Every single campaign across the two-year corpus had zero CVEs assigned during active exploitation.

For teams running AI coding agents like those covered in Claude Cowork Mobile Testing: What Paid Users Need to Know, the absence of CVE coverage means standard patch-management workflows offer no protection here.

Who Got Hit - Scope and Blast Radius

448 total artifacts are confirmed affected: 411 npm artifacts across 106 packages and 37 malicious PyPI wheels across 19 packages, per Phoenix Security. The table below maps the confirmed targets.

The highest-profile single incident struck Microsoft. On June 5, 2026, attackers pushed a malicious commit to Azure/durabletask through a previously compromised contributor account. StepSecurity documented GitHub disabling all 73 repositories in a sweep lasting 105 seconds. The planted configuration files execute a credential-harvesting payload when a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code.

SafeDepuses star count as a rough proxy for local checkouts. On that basis, the 1,459 combined stars across the five icflorescu repositories represent a lower-bound estimate of exposed developer machines in the community tier alone.

The TanStack attack deserves its own note. On May 11, 2026, Palo Alto Networks Unit 42 documented TeamPCP publishing 84 malicious artifacts across 42 @tanstack/* packages within six minutes via TanStack's GitHub Actions CI pipeline - the first documented case of a worm publishing malicious npm packages carrying valid SLSA Build Level 3 provenance.

Who Is Behind Miasma?

TeamPCP, also tracked as UNC6780, is a persistent, well-resourced threat group. Google Threat Intelligence Group (GTIG) confirmed in late March 2026 that UNC6780 claimed responsibility for multiple supply chain compromises, including those affecting the Trivy vulnerability scanner, Checkmarx, LiteLLM, and BerriAI.

The operational pattern across every confirmed incident is the same:

1. Compromise a trusted contributor account with existing repository access.
2. Push a small configuration-file change that wires an execution hook.
3. Wait for developer machines or CI pipelines to clone the repo.

The UK NCSC warned that in attacks like Mini Shai-Hulud - the direct predecessor to Miasma - the developer ecosystem including CI/CD systems, package registries, and developer tooling was used to propagate malicious software, and that subsequent similar attacks went undetected longer and spread more widely.

The financial stakes are severe. IBM's 2025 Cost of a Data Breach Report, cited by Swif, puts the average supply chain compromise cost at $4.91 million with a mean time to identify and contain of 267 days - the longest lifecycle of any breach vector IBM tracks. Verizon's 2025 DBIR, also cited by Swif, found 30% of all 2025 breaches involved a third party, double the prior year's 15%.

For context on how access brokers turn these footholds into ransomware incidents, see Mistic Backdoor: KongTuke Access Broker Fuels Ransomware. The contributor-account compromise model also echoes the persistence techniques detailed in STOCKSTAY Backdoor: Turla Targets Ukraine with .NET Espionage Tool.

What Should You Do Right Now?

Actions split into two tiers: things you do today and things you harden over the next sprint.

Quick wins - do these first:

• Audit AI agent configuration files. Check .claude, .gemini, .cursor, and VS Code workspace files (settings.json, tasks.json) for unexpected postInstall, onClone, or test script entries added by external commits.
• Cross-reference your dependencies against the 106 affected npm packages and 19 affected PyPI packages documented by Phoenix Security. Their published artifact list is the fastest starting point.
• Enable `npm audit signatures` to catch forged SLSA provenance, and treat any provenance verification failure as a hard block in CI, not a warning.
• Rotate tokens and SSH keys for any contributor account that pushed to a Microsoft-owned or community repository between June 1 and June 5, 2026.

Hardening - schedule for this sprint:

• Restrict outbound network access for AI coding agent processes using firewall rules or sandbox policies. GitHub-routed C2 traffic mimics normal API calls, so enable behavioral egress monitoring on port 443 to api.github.com.
• Pin contributor permissions on all CI/CD workflows with permissions: read-all at the top of each workflow YAML.
• Require signed commits before merging from external contributors:

git config --global commit.gpgsign true

• Set branch protection rules to block unsigned commits from accounts that have not passed a recent token-hygiene review.

Teams already managing Microsoft 365 infrastructure can apply the same principle of least-privilege model described in Migrate Distribution Groups to Microsoft 365 with PowerShell - lock permissions at the account level before the next commit cycle starts. For broader CI/CD hardening context, the step-by-step approach in DNS-over-HTTPS on Windows Server 2025: Step-by-Step Setup shows how to layer network controls that would catch anomalous outbound traffic from agent processes.

Frequently Asked Questions

Does Miasma only affect developers using AI coding agents?

No. The npm test script hook means any developer who runs `npm test` after cloning an infected repository is also exposed - no AI agent required. The AI-targeted vectors expand the attack surface considerably, but the threat is not exclusive to agentic workflows.

Why did no scanner catch the Miasma worm?

Miasma forges SLSA provenance signatures and uses GitHub as its C2 channel, so traffic and package metadata look legitimate. Zero CVEs have been assigned across the campaign, giving signature-based scanners nothing to match against. Behavioral detection is the only viable defensive layer.

Is the Miasma campaign still active?

Yes. The campaign has been running since June 1, 2026, with delivery mechanisms rotating every 48 to 72 hours. Treat the threat as live until the affected artifact lists stop growing and independent researchers confirm no new packages.

How did attackers get into Microsoft's repositories?

A previously compromised contributor account pushed the initial malicious commit to Azure/durabletask. The account itself was legitimate and already held repository access. This is why contributor token hygiene and signed-commit enforcement matter as much as code review.