Miasma Turns Agent Configs Into a Supply-Chain Weapon
June 7, 2026
The Miasma attack shows that `.claude`, `.cursor`, `.gemini`, and editor files are no longer harmless noise. When agents execute hooks, repo configuration becomes an attack surface.
What this is about
Security firm StepSecurity reported on June 5, 2026, that the Miasma campaign had reached Microsoft-related GitHub repositories. According to the analysis, GitHub disabled 73 repositories across several Microsoft organizations after a compromised account pushed a malicious commit into an Azure repository.
The new point is the attack surface: the malware did not only target package installation. It targeted configuration files read by AI coding tools and editors when a repository is opened.
What Miasma actually does
According to StepSecurity, the described commit did not change normal source code. It added configuration and payload files. The affected triggers included hooks or rules for Claude Code, Gemini CLI, Cursor, VS Code, and an npm test script. The goal was automatic execution or prompt and workflow manipulation once developers worked with the repository.
The Next Web reported on June 6 that the pattern points to a self-spreading supply-chain campaign that steals credentials for cloud and developer platforms and can move further using stolen rights.
Why it matters
Many teams treat editor and agent configuration as background noise. That becomes dangerous when coding agents receive more power: they read repository rules, start hooks, access shells, tokens, and cloud contexts, and become a new execution path.
This affects real developer work. A project can look safe when cloned and become risky only when opened in a familiar tool. Classic package-scanning logic is no longer enough.
In plain language
It is like a toolbox where someone places a small note next to the screwdriver: "Please start this machine when the box is opened." In the past, you checked the screws. Now you must also check the notes, because smart tools can act on them.
A practical example
A developer clones an internal demo repository for a customer project. The diff shows no normal code changes, only new .claude, .cursor, and .vscode files. If the team ignores those files, an agent may run a script at startup that collects GitHub, npm, or cloud tokens. A better process would flag those folders in review and block agent hooks by default.
Scope and limits
- Public reporting is based mainly on security analyses; Microsoft's full post-incident write-up was not visible at research time.
- Not every repository with tool configuration is malicious; context and execution behavior matter.
- The structural lesson remains even if individual numbers are later refined: agent configuration is a supply-chain surface.
SEO & GEO keywords
Miasma worm, AI coding agents, Claude Code, Gemini CLI, Cursor, VS Code, GitHub supply chain, Microsoft Azure repositories, credential theft, developer security
π‘ In plain English
Miasma moves supply-chain attacks from the package manager into the developer workspace. What looks like tool configuration can become a startup signal for AI coding agents.
Key Takeaways
- βStepSecurity reported the Microsoft-related incident on June 5, 2026.
- βGitHub disabled 73 repositories across several Microsoft organizations, according to the report.
- βThe attack targeted AI coding tools and editor configuration files.
- βClassic package scans are not enough against repository hooks like these.
- βTeams should review agent configuration as executable code.
FAQ
Why are `.claude` or `.cursor` files risky?
Because agents and editors can read them as rules or hooks. They can trigger behavior that is not visible in normal source code.
Is package scanning enough?
No. The attack can happen when a repository is opened or edited, not only when a package is installed.
What should teams check first?
Unexpected agent and editor configs, automatic hooks, direct main commits, and token access in developer environments.