GitHub disabled 73 repositories across four Microsoft organizations on June 5 after the self-replicating supply-chain campaign known as Miasma re-compromised Azure’s durabletask project, according to the research group OpenSourceMalware. It was the most visible strike yet in a campaign whose signature technique points somewhere uncomfortable.
That technique waits for a developer to open a project in an AI coding assistant. Security researchers have documented Miasma planting code in source repositories that detonates inside tools such as Claude Code, Cursor and Gemini CLI, though whether the disabled Microsoft repositories carried that specific payload is not established in the public record. What is clear is the chain that led here, and it runs through three distinct waves.
The shutdown notice itself was blunt. “Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service,” read the banner on Azure/azure-functions-host and dozens of sibling projects, per OpenSourceMalware’s June 5 writeup. The disabled repositories spanned Azure, Azure-Samples, Microsoft and MicrosoftDocs, and they took the entire Durable Task family down with them: the .NET, Go, Java, JavaScript and MSSQL implementations all went dark at once.
The Red Hat packages came first
The campaign surfaced on the npm registry. On June 1, Miasma compromised 32 packages under the @redhat-cloud-services namespace, spanning over 90 versions, according to the Microsoft Defender Security Research Team, which published the first detailed teardown on June 2. The malicious code stole credentials from continuous-integration environments and developer machines, then republished trusted packages to spread, the team said. This first wave abused npm trusted publishing and maintainer trust, not any flaw in the registry itself.
Then came Phantom Gyp
Two days later the worm changed its entry point. Rather than the preinstall or postinstall lifecycle scripts that security tooling typically monitors, it began abusing a 157-byte binding.gyp file, a configuration artifact npm associates with native C and C++ add-ons. When npm sees that file during installation, it runs node-gyp rebuild automatically, and the worm rides that legitimate behavior into the environment. Researchers at StepSecurity named the technique “Phantom Gyp.”
That June 3 wave struck @vapi-ai/server-sdk, the official Vapi.ai voice server kit that npm metrics put above 408,000 downloads a month, then spread within an hour to dozens of packages tied to the same maintainer. By the close of that day, researchers at Semgrep counted 57 compromised packages across 286 malicious versions.
And then the source repositories
The third wave skipped the registry entirely, and it is where the AI-agent trigger appears. Examining a compromise of the icflorescu/mantine-datatable project and four related repositories, SafeDep found a commit that “added no dependencies” but “planted a 4.3 MB payload runner and wired it to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script.” “The attack detonates when a developer clones one of the affected repos and opens it in an AI coding agent,” the firm said. If that holds as a description of the campaign’s source-repository technique, it would make Miasma one of the first publicly documented supply-chain worms to weaponize AI coding-agent configuration as an execution trigger.
Once it runs, the payload hunts for cloud keys from Amazon Web Services, Google Cloud Platform and Microsoft Azure, GitHub Actions secrets pulled from runner process memory, and local password stores including 1Password, gopass and pass, according to the StepSecurity and Semgrep analyses. Stolen material flows to a dead-drop account on GitHub, liuende501, which those researchers found hosting 236 repositories built to receive encrypted credential files.
A wound that never fully closed
The Microsoft takedown emerged after these source-repository findings and appears connected to the same broader campaign, but the public record reviewed for this article does not establish that the Microsoft repositories carried the same AI-agent-triggered payload SafeDep documented elsewhere. What is documented is the lineage. Azure/durabletask, the repository at the center of the June 5 disablement, was the same project the group TeamPCP poisoned in May to deliver an information stealer on Linux systems. Miasma itself is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP released publicly in mid-May, according to Akamai.
Paul McCarty, the security researcher behind OpenSourceMalware who tracks the campaign as 6mile, sees a straight line between the two events. “A month later, not only is Azure/durabletask gone, so is every sibling repo in the Durable Task ecosystem,” McCarty said. “When the repo at the root of last month’s compromise is the hub of this month’s takedown, that is not a coincidence. That is the same wound reopening. Whoever held those credentials in May plausibly never fully lost them.”
His point carries an operational lesson. A disabled repository and a rotated token do not close an incident if the original access path survives. Teams that responded to the May intrusion by removing the malicious commit, without forcing a full credential reset across every contributor account that touched the project, left the door propped open.
Microsoft, GitHub, Red Hat and Vapi.ai did not provide comment in the public record reviewed for this article, and none had published a remediation timeline as of June 7. The operators, by contrast, have stayed active, cycling through repository descriptions, “Miasma: The Spreading Blight,” then “Hades, The End for the Damned,” as defenders fingerprint each label and hunt the public repositories holding stolen secrets.
What practitioners should do now
The defensive playbook here departs from muscle memory. Blocking preinstall and postinstall scripts, the standard advice for npm supply-chain risk, does nothing against a binding.gyp trigger. Security teams should treat node-gyp rebuild activity as a monitored event, not background noise, and they should consider installing dependencies with native builds disabled where a project does not require them.
The AI-agent angle demands its own response. Opening an untrusted repository inside Claude Code, Cursor or a comparable assistant now carries the same risk profile as running an unknown installer. Engineers should clone first, inspect agent configuration files before opening a project in any assistant, and run unfamiliar code in disposable or sandboxed environments. Credential hygiene closes the loop: short-lived tokens, scoped GitHub Actions secrets, and rotation that assumes compromise rather than hoping against it.
The governance and discovery questions
Step back from the malware and a set of governance questions comes into focus. What follows is analysis rather than reporting, but the alignment with regulated work is hard to miss. For information governance and eDiscovery professionals, Miasma raises preservation questions that few policies currently address. Developer workstations, npm and GitHub artifacts, continuous-integration logs and AI-agent configuration files could all become potential evidence in source-code-theft and breach matters, and they live in systems that legal teams rarely map. A credential harvested today can surface in litigation a year from now, which puts the chain of custody around developer environments in play.
For vendor diligence and compliance teams, the campaign sharpens an uncomfortable question: how much of your software bill of materials passed through a maintainer account or a build step you cannot independently verify? In parts of the campaign, the worm spread through trusted publishing paths and authenticated maintainer workflows, which is why conventional defenses struggled to catch it.
So here is the question worth carrying into your next architecture review: if your most trusted developer tool became the thing that executed an attacker’s code, would your monitoring ever know?
News sources
- Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign (Microsoft Security Blog)
- Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack (The Hacker News)
- Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp (StepSecurity)
- Miasma Worm Targets AI Coding Agents via GitHub Repos (SafeDep)
- Miasma v2: Self-Spreading npm Worm Now Uses Malicious binding.gyp file and Compromises 57 Packages (Semgrep)
- 600,000 Monthly Downloads Affected: Miasma Supply Chain Attack Is Back on npm (OX Security)
- Mini Shai-Hulud worm returns, goes public (Akamai)
Assisted by GAI and LLM technologies
Source: HaystackID shared with permission from ComplexDiscovery OÜ
Advisory Note: As the Miasma campaign demonstrates, AI-enabled development and software supply-chain risk now require coordinated cybersecurity, governance, and legal response. HaystackID’s global advisory expertise in cybersecurity, data governance, and AI governance can help organizations identify exposure, reduce risk, and build defensible processes for emerging technology challenges.
