AI Coding Tools as Attack Vectors: Has the Miasma Worm Changed How You Work

[DiamondDallas_X]

The Miasma worm campaign that hit 73 Microsoft GitHub repositories on 5 June was not a typical supply chain attack and the community has not fully processed what makes it different. Previous supply chain attacks poisoned package registries, npm packages, PyPI wheels, the usual vectors. Miasma's third wave did something architecturally novel: it planted configuration files that trigger automatic credential harvesting when a developer opens a repository in an AI coding tool. The .claude/settings.json file embedded a Claude Code SessionStart hook. Similar files targeted Gemini CLI, Cursor and VS Code. The attack was not about what code gets installed. It was about what happens the moment an AI coding assistant boots up in a compromised directory.

This represents a meaningful shift in threat model for anyone using agentic coding tools. Claude Code, Gemini CLI and similar tools request broad permissions to read directories, execute commands, manage files and interact with APIs. That is what makes them useful. It is also exactly what makes a SessionStart hook so effective as an attack vector. The attacker does not need the developer to run anything. They need the developer to open the repository. TeamPCP, the group behind Miasma, has now hit TanStack via npm, Mistral AI's packages, the antv ecosystem with 639 compromised versions, and now Microsoft's Azure GitHub organisations. The campaign has infected over 113 repositories across dozens of accounts according to StepSecurity. This is a sustained, sophisticated, and evolving threat.

Have you changed how you use AI coding tools since this came out? What does secure use of agentic coding assistants actually look like in practice?