HIGH: Miasma Worm Detonates 73 Microsoft GitHub Repos in npm Supply Chain Cascade

Sometimes the supply chain attack is so on the nose that the operators name the malware after a creeping plague and call the credential dump repository "The Spreading Blight." The Miasma worm earned the title. Over the weekend GitHub disabled 73 repositories across four Microsoft GitHub organizations after the self-replicating npm worm crawled out of the open source ecosystem and landed inside Azure, Azure-Samples, Microsoft, and MicrosoftDocs. If your developers installed an npm package in the last week, opened a checkout in Claude Code, Cursor, Gemini CLI, or VS Code, and have not yet rotated their cloud credentials, you are behind on this story.

Miasma is a descendant of the Mini Shai-Hulud worm that the TeamPCP crew released publicly in mid-May 2026. Researchers tracking the campaign, including Paul McCarty and the StepSecurity team, see the same wound reopening. The original May incident burned into the Azure/durabletask repository through a contributor account whose credentials were almost certainly never fully revoked. A month later, the same repository was the launchpad for the June campaign, this time with a payload that is meaningfully more vicious than its predecessor. The Microsoft Security blog confirmed the new variant on June 2, the npm waves hit on June 3, and the Microsoft GitHub fallout started cascading on June 5. By the time GitHub finished its automated takedown sweep, 73 Microsoft repositories were dark in 105 seconds, including Azure/functions-action, azure-search-openai-demo, llm-fine-tuning, the durabletask family across .NET, Go, JavaScript, and MSSQL variants, plus windows-driver-docs and homebrew-functions. CI/CD pipelines around the world broke that morning, which is the rare case where a vendor breaking your build is genuinely doing you a favor.

The technical centerpiece of the worm is a technique the researchers are calling Phantom Gyp. Instead of stashing a preinstall or postinstall script inside package.json where a halfway decent supply chain scanner would catch it, Miasma embeds a 157 byte binding.gyp file. binding.gyp is the configuration file that node-gyp uses to compile native addons during npm install. It has its own little expression language, and gyp supports a command substitution syntax of the form less than exclamation parenthesis that runs whatever shell command sits inside the parentheses. The malware uses that exact construct to execute its loader during the rebuild step, completely outside the npm hooks that supply chain tooling actually inspects. RubyGems has its own equivalent, and Miasma already implemented it. The RubyGems branch of the worm uses extconf.rb injection to achieve the same outcome, which strongly suggests this crew is not done expanding into other ecosystems.

The June 3 npm wave compromised 57 packages across more than 286 malicious versions. Two of the biggest hits had real reach. The vapi-ai server SDK clocks more than 408,000 monthly downloads and is wired into countless voice agent stacks. ai-sdk-ollama, which a lot of teams use for local model integrations, pulls in more than 120,000 monthly downloads. Smaller packages under the maintainer names jagreehal, autotel, and awaitly rounded out the list. The worm propagated by harvesting npm publishing tokens from compromised developer machines and CI runners, then mass producing new tarballs that bundled the malicious binding.gyp alongside any legitimate package contents. To defeat provenance checking, the worm forges Sigstore SLSA v1 attestations by abusing OIDC token exchange against Fulcio and submitting fake entries to Rekor. That is the kind of trick that turns the developer ecosystem's most recent generation of supply chain defenses into theater. Cryptographic provenance only works if the signing identity has not been hijacked, and Miasma hijacks signing identities for breakfast.

The payload itself is layered. The loader is a 4.3 megabyte runner that fetches the Bun runtime from the legitimate oven-sh GitHub releases page and uses it as an alternative JavaScript engine, which sidesteps any defensive instrumentation a defender might have layered onto the Node.js runtime. The main payload is roughly 668 kilobytes, built with obfuscator.io, and contains an encrypted string table of more than 2,300 entries. Static decoding requires unwinding a ROT-N Caesar cipher with rotation values that vary between 9 and 20, then unwrapping an AES-128-GCM layer whose key and initialization vector live in the binary. Reverse engineers had a long weekend.

What makes this campaign especially nasty is the deliberate targeting of AI coding assistants. The worm does not just steal whatever credentials it can grab on first execution. It also plants persistent backdoor files designed to fire every time a developer opens the project in an AI-assisted IDE. Claude Code reads a .claude/setup.mjs file. Cursor reads .cursor/rules/setup.mdc. VS Code reads a .vscode/tasks.json with a runOn value of folderOpen. Gemini CLI has its own .gemini directory. Every one of those is a foothold that survives a clean clone, because the malicious files are part of the repository contents that the AI tools intentionally execute as part of their integration model. Once those rules files are in place, the attacker can manipulate the agent's code suggestions, exfiltrate workspace contents, or simply re-detonate the credential collector whenever the developer opens the folder again. The AI coding rush has handed adversaries a brand new persistence surface, and Miasma is the first widely observed worm to industrialize the abuse.

The credential collection menu reads like a modern cloud security nightmare. The worm specifically targets AWS access keys, session tokens, and instance metadata service endpoints. GCP service accounts, Azure tokens, and HashiCorp Vault tokens are all in scope. When the worm runs inside a GitHub Actions runner, it extracts masked secrets directly from runner memory, defeating the whole point of the masking layer. Locally, it pulls credentials out of 1Password CLI sessions, gopass, and the pass UNIX password manager. Anything it finds gets bundled into encrypted JSON, then uploaded to one of more than 200 programmatically created repositories under a throwaway GitHub account named liuende501. The exfiltration repos carry intentionally menacing descriptions, with 82 instances of "Miasma: The Spreading Blight" and another 13 labeled "Hades, The End for the Damned." The command and control beacons piggyback on GitHub commit search by using a unique keyword called thebeautifulmarchoftime. The crew is clearly enjoying themselves, which is its own kind of warning.

For defenders, the hunt starts in package metadata. Look for binding.gyp files with SHA-256 of ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90 across known affected versions, plus oversized root index.js files in the four to five megabyte range that do not match the declared package entry point. Audit your developer workstations and CI runners for unexpected downloads of the Bun runtime from the oven-sh release URL, particularly anywhere Node is the declared toolchain. Pull every clone made by your team since June 1 and grep for .claude, .cursor, .gemini, and .vscode directories that contain setup scripts or tasks with folderOpen triggers. Anything that matches needs the project quarantined and the developer's credentials rotated. If your team uses any of the named affected packages, treat the cloud credentials that touched those projects as burned and rotate them at the source. AWS access keys, IAM roles tied to development accounts, GitHub fine-grained tokens, npm publish tokens, Azure service principals, and any Vault tokens used during the window all need fresh issuance and the old values revoked.

The harder mitigation is structural. Provenance attestation alone is no longer sufficient if the worm can forge Sigstore signatures, so the new bar is independent verification of who published a version and whether that publishing event matches the maintainer's expected behavior. Pinning dependencies by hash rather than by version range stops the auto pull of a brand new malicious patch release. Limiting npm install to a hardened, networkless build container blunts the credential theft even when a malicious package slips through. Disabling Claude Code, Cursor, Gemini CLI, and VS Code from auto running setup scripts in cloned repos closes the AI persistence surface entirely, although it also breaks some legitimate workflows. Microsoft's update to VS Code adding a two hour delay on extension auto updates is a reaction to exactly this kind of campaign, and it is worth turning on across your fleet.

For MSPs and managed security providers, the conversation with developer-heavy clients writes itself this week. Anyone with a Node, Python, or Ruby development team needs an emergency review of which packages were installed across June 1 through June 7, which CI pipelines ran during that window, and whether any cloud credentials referenced in those pipelines have been rotated since. There is real billable work here in supply chain monitoring tooling deployment, dependency hash pinning rollouts, hardened CI image design, and credential rotation campaigns. Clients who have been resistant to dev environment hardening pitches will listen now, because Microsoft is the demonstration that nobody is too well staffed to fall to this. There is also a sharp content marketing angle in a short customer brief that explains why provenance attestation is not enough and what the next generation of supply chain defense actually looks like. The market for AI assistant security posture is brand new and Miasma is the inciting incident.

The strategic takeaway is one that the industry has been quietly dreading. Worms that target the developer toolchain rather than the production endpoint are far more efficient than traditional malware because every developer machine touches dozens of cloud accounts and hundreds of code repositories. Add AI coding assistants that intentionally execute repository content as part of their normal operation and the blast radius gets larger still. The Mini Shai-Hulud release in May was a proof of concept. Miasma is the operational version. Whatever comes next will be faster, quieter, and harder to clean up. The defensive posture that survives this generation is the one that treats every cloud credential as ephemeral, every dependency as adversarial until proven otherwise, and every AI agent as a privileged code execution context with corresponding monitoring requirements. Microsoft losing 73 repositories in 105 seconds is the cheap lesson. Skip it at your peril.