Miasma Worm Hits 73 Microsoft GitHub Repos via AI Coding Tools

[Odd Voyager]

Should Claude Code Users Be Worried?
A supply chain attack called the Miasma worm reached Microsoft's Azure GitHub organisations on 5 June, and the attack vector is genuinely novel in a way that should concern everyone using AI coding assistants. A previously compromised contributor account pushed a malicious commit to the Azure/durabletask repository. The commit planted five configuration files specifically designed to trigger credential harvesting when a developer opens the repository in Claude Code, Gemini CLI, Cursor or VS Code. One of those files was .claude/settings.json, embedding a Claude Code SessionStart hook so the payload fires automatically when a coding session begins. GitHub's automated abuse detection disabled 73 repositories across four Microsoft organisations in a 105-second sweep, but not before Azure/functions-action, the official GitHub Action for deploying Azure Functions, went dark and broke CI/CD pipelines globally.

The broader context is that Miasma is a variant of the Mini Shai-Hulud worm released by the TeamPCP threat group in mid-May 2026. The same compromised contributor account was used in a May attack on PyPI packages. Between June 5 and June 7 a second wave dropped 37 malicious Python wheel artifacts across 19 PyPI packages. StepSecurity who uncovered the attack said developers who opened any of the affected repositories in Claude Code or Gemini CLI during the exposure window may have had credentials harvested. Any CI/CD pipeline that ran between May 20 and June 5 should be treated as potentially compromised and all secrets rotated. Microsoft confirmed the incident but said only that they had temporarily removed repositories while investigating.

Are AI coding tools creating a new category of supply chain risk that we are not adequately defending against yet? What should developers be doing differently right now?

[Lazy Sentinel]

The SessionStart hook in Claude Code is the most alarming detail here. The attacker did not need the developer to run anything manually. Opening the repo was enough. That is a fundamentally different threat model