11 June 2026 Supply Chain

Miasma Worm: How 73 Microsoft GitHub Repositories Were Compromised via AI Coding Tools — and Why Australian Developers Are Exposed

On 5 June 2026, a self-replicating worm named Miasma swept through four Microsoft GitHub organisations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — and planted credential-harvesting payloads inside 73 repositories. GitHub's automated abuse detection moved to disable the affected repositories within 105 seconds, but not before the attack disrupted CI/CD pipelines globally, including those used by Australian software teams. The payload specifically activated when developers opened affected repositories in AI coding tools including Claude Code, Gemini CLI, Cursor, and Visual Studio Code — a new and concerning evolution in supply chain attack technique.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What Happened: The Miasma Worm Hits Microsoft on 5 June 2026

On the morning of 5 June 2026, security firm StepSecurity published research documenting what has since been described as the most significant supply chain attack to target a major technology company since the 2024 XZ Utils incident. A self-replicating worm named Miasma had infiltrated four of Microsoft's GitHub organisations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — and planted credential-harvesting payloads inside 73 separate repositories.

The initial vector was a single malicious commit pushed to the Azure/durabletask repository, made possible by previously compromised contributor credentials. Once inside, the worm did not simply wait for a developer to execute it: it used the credentials and access tokens found in the repository environment to propagate itself to additional repositories, moving laterally across Microsoft's open source estate in a pattern that StepSecurity's researchers characterised as genuinely self-replicating.

GitHub's automated abuse detection caught the anomaly and disabled all 73 affected repositories in a window of approximately 105 seconds. That response time is, by any measure, fast. But the malicious commits had already landed, and for developers who had the repositories checked out locally — or whose CI/CD pipelines had already triggered a build against the latest commit — that window was sufficient for the payload to execute.

The repositories involved include components used across Azure DevOps, .NET, and a range of internal Microsoft toolchains. For Australian software development teams that pull Microsoft open source components into their build pipelines — and that is a large category, given the dominance of Azure in Australian enterprise cloud — the incident produced immediate, practical disruption: broken builds, failed deployments, and an urgent need to audit exactly what had run in their environments during the affected window.

According to StepSecurity's research, the same contributor account responsible for this attack was also behind the May 2026 compromise of the durabletask PyPI package, suggesting a persistent, well-resourced actor with specific interest in Microsoft's open source infrastructure.

Why This Attack Is Different — and Why It Matters to Australian Teams

Supply chain attacks have grown steadily more sophisticated since the SolarWinds compromise of 2020, but the Miasma incident marks an important tactical shift: it was specifically engineered to execute through AI coding tools.

The malicious commits planted configuration files — files designed to be automatically read and acted upon by AI-assisted development environments — that instructed those tools to execute a credential-harvesting payload when a developer opened the repository. According to TechCrunch's reporting and confirmed by StepSecurity's technical analysis, the affected AI coding tools included Claude Code, Gemini CLI, Cursor, and Visual Studio Code.

This is significant for two reasons. First, AI coding assistants have moved from novelty to standard workflow for a substantial proportion of Australian developers over the past 18 months. These tools routinely read repository configurations automatically on startup, which makes them an efficient delivery vector for attackers who can plant malicious instructions in a repository's config files. The developer's machine executes the attack simply by opening a project — no separately launched executable, no suspicious download, no obvious prompt to override.

Second, the technique does not exploit a vulnerability in GitHub, npm, or any of the AI coding tools themselves. There is no CVE to patch and no vendor update that will close this specific attack surface. It is fundamentally a supply chain integrity problem: if an attacker can push a commit to a trusted repository — which Miasma achieved using stolen contributor credentials — any developer who subsequently pulls that repository and opens it in their preferred AI assistant becomes a candidate victim.

For Australian software teams, the practical implication is uncomfortable. A team that runs thorough internal security reviews, follows the Essential Eight, and keeps its own systems patched and monitored may still be exposed the moment it pulls a dependency from a compromised upstream source. That is the nature of supply chain attacks, and it is why the Australian Signals Directorate has increasingly highlighted software supply chain integrity as a priority concern for 2026.

Technical Breakdown: How Miasma Spread and What It Collected

How the payload activated through AI tool configurations

Once the malicious commit landed in a repository, the worm's configuration files sat waiting for a developer to open the project. AI coding tools like VS Code and Cursor routinely read project-level configuration directories on startup — looking for workspace settings, extension configurations, and tool-specific instruction files. Miasma's payload was embedded in files placed precisely in those locations, formatted to look like legitimate project configuration.

When a developer opened an affected repository in one of the targeted tools, the tool executed the instructions it found in those config files, triggering a multi-stage credential harvest. According to The Register's reporting on the incident, GitHub's automated abuse detection identified the pattern within 105 seconds of the initial malicious push and disabled all 73 affected repositories.

What Miasma's payload collected

The Miasma payload is assessed to be a stealthy variant of the RedLine infostealer, adapted for developer environments. Based on StepSecurity's analysis, the credential harvest targeted four categories of data:

Browser-saved passwords: credentials stored in Chrome, Edge, Firefox, and other Chromium- or Gecko-based browsers, including passwords, autofill data, and stored payment details
Authentication tokens: session tokens and OAuth tokens for cloud platforms including Azure, GitHub itself, AWS, and Google Cloud — the credentials that CI/CD pipelines and developer toolchains use to operate
SSH private keys: keys stored in default locations (typically ~/.ssh/) used for repository access and server administration
Crypto wallet data: seed phrases and wallet files for common cryptocurrency applications, a secondary target consistent with other RedLine-family variants

The Shai-Hulud connection and self-replication

Miasma is a direct descendant of the Mini Shai-Hulud worm that surfaced in May 2026 after threat actor group TeamPCP released its source code publicly. An earlier iteration of the same codebase was responsible for the compromise of the Bitwarden CLI npm package — a campaign documented in detail in our Bitwarden CLI supply chain analysis. The public release of the worm's source code has effectively democratised this class of attack: any competent attacker now has access to a working, self-replicating supply chain payload without needing to develop one from scratch.

The self-replication aspect is what distinguishes Miasma from most infostealers. After harvesting credentials from a victim machine, the worm used those credentials to push itself to additional repositories the victim had access to, compounding the blast radius of each successful compromise. GitHub's rapid response contained the spread within Microsoft's own estate, but the underlying capability — a worm that spreads across code repositories using legitimately harvested credentials — represents a meaningful escalation in supply chain attack sophistication.

What Australian Developers Must Do Right Now

Immediate priority — audit your pipeline (this weekend if needed): If your team uses GitHub Actions, search your workflow files for any uses: references to repositories in the Azure, Azure-Samples, Microsoft, or MicrosoftDocs GitHub organisations. GitHub's own security alert system should flag affected dependencies, but manual verification is faster. Any workflow that ran between approximately midnight and 2:00 AM AEST on 6 June 2026 against a Microsoft repository should be treated as suspect.

Review your GitHub organisation's audit log for actions taken during the June 4–6 window. Look specifically for unexpected commits, permission changes, or workflow runs referencing the affected organisations. If any CI/CD job ran against an affected repository during that period, treat the runner environment as potentially compromised and rotate every credential the runner had access to: GitHub tokens, cloud provider API keys, deployment credentials, and any secrets stored as environment variables in the pipeline.

Stop saving passwords in your browser — today.

The Miasma payload specifically targeted browser-saved credentials. This is not a new attack class — RedLine-family infostealers have been targeting browser credential stores for years — but the Miasma incident illustrates once again how a single supply chain compromise can drain browser credential stores across thousands of developer machines in minutes. Browser password storage was designed for convenience, not security. Browsers save credentials to reduce friction; they were not built to withstand dedicated credential-harvesting malware running with user-level access to the machine.

A dedicated password manager stores credentials in an encrypted local vault, keeps them separate from the browser process, and gives you a single interface to audit, rotate, and revoke access across all your accounts when an incident occurs. NordPass supports both individual developers and team vaults for shared service account credentials, with a clear audit trail showing who accessed which credentials and when. When the next Miasma-class payload arrives — and the public release of the Shai-Hulud source code makes further variants likely — a credential vault prevents a compromised browser session from handing attackers your entire digital life.

Harden your GitHub organisation's configuration:

Enable secret scanning for all repositories (Settings → Security → Code security → Secret scanning) to catch any credentials accidentally committed to code
Turn on push protection to block secret commits before they land in the repository
Require signed commits for any repository consumed by automated CI/CD pipelines — signed commits provide an auditable chain of identity that unsigned commits lack
Enforce two-factor authentication across your entire GitHub organisation, and where possible, migrate to hardware security keys (FIDO2/passkeys) rather than TOTP codes, which remain phishable
Pin GitHub Actions workflow steps to specific commit SHAs rather than floating tags like @v3 or @main — a pinned SHA is immutable, while a branch reference can be moved by anyone with write access to the repository

The Bigger Picture: Software Supply Chain Is the New Perimeter

The Miasma incident is the most visible episode in a threat category that Australia's own security guidance has flagged as a growing priority. The Australian Signals Directorate's Essential Eight mitigations include "patch applications" and "restrict administrator privileges" — controls that, applied consistently, reduce the blast radius when an incident like this occurs. But the Essential Eight were primarily designed for a threat model in which the attack arrives via your network perimeter or via phishing. Supply chain attacks bypass that model entirely: the attacker does not need to touch your infrastructure directly. They compromise your upstream dependency and wait for your legitimate development process to do the rest.

For Australian businesses that rely on open source components — which in 2026 means effectively every software team of any kind — rigorous internal patch management is necessary but not sufficient on its own. The additional controls that meaningfully reduce supply chain risk are largely about dependency integrity and least-privilege access:

Dependency pinning is the highest-impact single control for GitHub Actions users. Locking workflow steps to specific commit SHAs rather than tags means that an attacker who compromises a repository and updates its branch references cannot affect your pipeline until you explicitly update your SHA pin. GitHub's own security documentation recommends this practice; Miasma is a case study in why the recommendation exists.

Least-privilege CI/CD tokens matter because Miasma's lateral movement relied on over-permissioned credentials. A pipeline job that only needs to run tests should not hold cloud deployment keys, GitHub organisation admin tokens, or write access to production infrastructure. Organisations that have applied the principle of least privilege to their pipeline credentials would have contained the incident to a much smaller blast radius even if a runner did execute the payload.

Monitoring pipeline logs as a detection signal is underutilised. GitHub's audit logs record every action taken in a repository and organisation, and Miasma's activity was detectable in those logs. Australian software teams that pipe GitHub audit events into a central logging or alerting system have a meaningful advantage over those that only review logs after something breaks. Given that the worm was active for a window measured in seconds before GitHub's automated response, real-time alerting — not retrospective review — is the only detection path that matters at that speed.

Australia's Cyber Security Act 2024 establishes mandatory ransomware payment reporting for businesses exceeding $3 million annual turnover, and the broader legislative direction is towards treating software supply chain integrity as a baseline security requirement, not an optional extra. Incidents like Miasma — and its Shai-Hulud predecessors — are the reason that direction is being codified into law.

The uncomfortable truth is that the attack surface for Australian developers now includes every repository they pull from, every package manager they query, and every AI coding tool they use. That surface is not shrinking. With the Shai-Hulud worm's source code publicly available, further variants are a question of when, not whether. The question is whether your team's monitoring, credential hygiene, and pipeline configuration will detect and contain the next incident before it moves laterally into your own infrastructure — or whether you will first find out about it when your cloud bill spikes or your credentials turn up in a threat intelligence feed.

For a deeper look at how browser-saved credentials continue to enable these attacks, see our coverage of the PureLogs infostealer campaign targeting Australian passwords. Moving credentials from browser storage to a dedicated vault like NordPass is one of the few mitigations that applies to the entire Shai-Hulud family of attacks: if there are no browser-saved passwords to harvest, that collection stage returns nothing of value.