If You Use Claude or Gemini, This Microsoft Breach Means Your Data Is at Risk — Scienspire
Subscribe
A highly sophisticated supply chain attack known as the Miasma worm has successfully compromised dozens of Microsoft-owned GitHub repositories, deploying malware specifically designed to detonate inside AI coding assistants like Claude Code, Gemini CLI, Cursor, and VS Code.<br>On June 5, 2026, GitHub was forced to abruptly disable 73 repositories across four Microsoft organizations—including core infrastructure for Azure—after a malicious contributor injected self-replicating credential-harvesting malware.<br>If you use AI agents to navigate or write code, here is what you need to know about the breach and how to secure your environment.<br>How the Trap Is Sprung<br>Historically, developers worried about malware hiding in lifecycle scripts during package installation (like running npm install). The Miasma worm introduces a dangerous new paradigm: the payload executes simply by opening the project folder.<br>The attackers achieved this by weaponizing the configuration files that AI coding agents use to understand a project. By hiding malicious commands inside standard setup hooks, the malware tricks the AI assistant into running the payload automatically.<br>Here is how it targets specific tools:<br>Claude Code & Gemini CLI: The attackers planted malicious .claude/settings.json and .gemini/settings.json files. These contain a “SessionStart” hook that silently executes the malware the moment the AI agent connects to the repository.<br>Cursor: A prompt injection in .cursor/rules/setup.mdc tricks the Cursor AI into believing it must run the malware to “initialize the project environment.”<br>VS Code: A modified .vscode/tasks.json file auto-runs the payload as soon as the folder is opened.<br>What the Malware Steals<br>The payload itself is a massive 4.6 MB obfuscated JavaScript file (.github/setup.js) built for one purpose: aggressive credential theft.<br>Once triggered by your AI agent or IDE, the malware immediately hunts for:<br>Cloud Keys: Credentials for AWS, Google Cloud Platform (GCP), and Microsoft Azure.<br>Developer Secrets: GitHub Actions secrets pulled directly from process memory.<br>Local Password Vaults: Unlocked data from password managers like 1Password and gopass.<br>Infrastructure Configs: Passwords hidden in .env files, Docker configs, and Kubernetes environments.<br>Because the payload steals legitimate OAuth tokens and cloud keys, the attackers can bypass traditional security scanners, allowing the worm to spread laterally through enterprise networks and publish further malicious code under trusted developer identities.<br>How to Protect Yourself<br>The AI-agent angle demands a shift in how developers treat open-source code. Opening an untrusted or compromised repository inside an AI assistant now carries the exact same risk profile as running a random executable.<br>If you recently cloned or interacted with Microsoft or Azure repositories (particularly around the durabletask framework) using Claude Code, Gemini CLI, or Cursor, assume your environment may be compromised.<br>Immediate Action Steps<br>Check for Suspicious Configs: Before opening any external repository in an AI tool, inspect the root folder for unexpected .claude, .gemini, .cursor, or .vscode directories. Look for “SessionStart” hooks pointing to unknown JavaScript or shell files.<br>Rotate Credentials: If you suspect exposure, immediately rotate your GitHub Personal Access Tokens (PATs), SSH keys, CI/CD signing keys, and all active cloud provider credentials.<br>Audit AI Permissions: Ensure your AI coding agents are explicitly restricted from running automated startup scripts or accessing sensitive local directories without manual approval.
More in Security
AI<br>AI costs how much? GitHub Copilot users react to new usage-based pricing<br>June 7, 2026
Tools<br>How to create a profitable faceless YouTube channel using Invideo<br>June 7, 2026
Business<br>Gamma vs PowerPoint: Why AI Presentations Are Winning<br>June 6, 2026