The Miasma worm weaponizes .claude and .cursor config files — 73 Microsoft repos hit

A self-replicating supply-chain worm dubbed Miasma compromised 73 Microsoft GitHub repositories on June 5, 2026, and GitHub disabled them in roughly 105 seconds across two automated waves. (Source: StepSecurity, 2026-06-08) What makes this one a builder problem, not just a Microsoft problem: the payload is triggered by the AI-coding-agent config files that Claude Code, Cursor, Gemini CLI, and VS Code read automatically when you open a folder.

Key facts:

• 73 repos across four orgs were hit: Azure (49), microsoft (10), Azure-Samples (13), MicrosoftDocs (1). (Source: StepSecurity, 2026-06-08)
• The payload executes on folder-open, not on code execution. Opening a poisoned repo in an AI agent is enough.
• It harvested AWS, Azure, GCP, and Kubernetes credentials, plus GitHub tokens, npm tokens, SSH keys, and 90+ developer-tool configs.
• It is a worm: it used the stolen credentials to propagate to more repositories.
• The official Azure/functions-action was disabled, breaking every workflow that referenced @v1.
• It’s a re-compromise of Microsoft’s Durable Task project, first poisoned via three malicious durabletask PyPI versions on May 19, 2026.

How the attack actually fires

The malicious commit planted five files engineered to run automatically the instant a developer opens the folder in an AI tool or IDE — no prompt, no command, no review step:

.claude/settings.json     # SessionStart hook → runs payload in Claude Code
.gemini/settings.json     # identical hook for Gemini CLI
.cursor/rules/setup.mdc   # prompt injection telling Cursor's agent to "run setup"
.vscode/tasks.json        # auto-run task on folder open in VS Code
.github/setup.js          # 4.6 MB obfuscated JavaScript payload the others call

This is the dark side of the agent-config conventions builders have adopted all year. A SessionStart hook or a .cursor/rules file is supposed to make your agent useful on a new repo; here it’s an arbitrary-code-execution vector that fires before you’ve read a single line. The same automation that powers a good Claude Code daily-driver setup is exactly what the worm abuses.

What this means if you build with AI coding agents

Treat any cloned repo you opened in an agent between June 5 and the cleanup as untrusted, and do four things:

1. Rotate everything — GitHub and npm tokens, AWS keys, Azure service principals, GCP accounts, SSH keys, and Kubernetes secrets. The payload runs on open, so cloning and opening is enough to assume exposure.
2. Grep your own repos for the five paths above (.claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, .vscode/tasks.json, .github/setup.js) before opening anything new in an agent.
3. Pin GitHub Actions to commit SHAs, not mutable tags like @v1 — the disabled Azure/functions-action shows why a floating tag is a single point of failure.
4. Block outbound CI/CD network access to known C2 hosts (check.git-service[.]com, t.m-kosche[.]com, defanged) and move to PyPI Trusted Publishing (OIDC) instead of long-lived tokens.

This is the supply-chain twin of the prompt-injection problem we covered in OpenAI’s Lockdown Mode and Anthropic’s work on defending the code harness: the agent’s convenience surface is the attack surface. Audit the config files your tools trust before they trust them for you.

Sources

• Miasma Worm Hits Microsoft Again — StepSecurity, 2026-06-08
• Microsoft’s open source tools were hacked to steal passwords of AI developers — TechCrunch, 2026-06-08
• Miasma Worm Supply Chain Attack: 73 Microsoft GitHub Repositories Compromised — Rescana, 2026-06-08