Security2026-06-09 · source-backed
Self-replicating "Miasma" malware hit 70+ Microsoft open-source repos, stealing credentials the instant a repo opens in an AI tool.
Story
Microsoft and GitHub disabled the repos, many of them Azure and AI developer tools, after attackers injected malware that harvests credentials the moment a repo is opened in Claude Code, Gemini CLI, or VS Code. Miasma is built on the open-sourced Mini Shai-Hulud codebase from a group called TeamPCP, with a suspected link to a May breach of Microsoft's Durable Task project. This is the supply-chain nightmare for agentic workflows specifically. The whole value of an agent is that it auto-opens repos, runs tooling, and acts without you watching each step. That's also exactly the behavior this attack weaponizes. If your agent clones and opens untrusted repos, treat every one as hostile until proven otherwise, and don't keep long-lived credentials in any environment an agent can touch.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage / Tension
Warp Terminal Goes Open Source at 56,000 Stars. It's Not a Terminal Anymore.
Both cover Claude Code, Gemini CLI, GitHub, VS Code; overlapping topics (agent, agentic, claude, code); earlier Claude Code coverage from 2026-05-14.
Shared entities / Shared topic / Earlier coverage
Claude Code 2.1.166 adds fallback models, and if you run cron pipelines this is the fix you've wanted
Both cover Claude Code, GitHub, Miasma, Microsoft; overlapping topics (agent, claude, code); earlier Claude Code coverage from 2026-06-06.
The Largest npm Worm of 2026 Carries Valid Supply Chain Attestations. That's the Real Problem.
Both cover GitHub, Hulud, Mini Shai, TeamPCP; overlapping topics (attack, attacker, code); earlier GitHub coverage from 2026-05-13.
Kimi K2.5: First Open-Source Model in Top 5 IDE Rankings
Both cover Claude Code, Gemini CLI, Self, VS Code; overlapping topics (agent, claude, code); earlier Claude Code coverage from 2026-02-23.
SymJack and TrustFall: new symlink-hijack and RCE chains hit six AI coding agents.
Both cover Claude Code, Gemini CLI, Microsoft; overlapping topics (agent, attack, claude, code); earlier Claude Code coverage from 2026-06-05.
One GitHub Comment Can Steal Your API Keys From Claude Code, Gemini CLI, and Copilot
Both cover Claude Code, Gemini CLI, GitHub; overlapping topics (agent, attack, claude, code); earlier Claude Code coverage from 2026-05-24.
Your Copilot Bill Is About to Get Complicated
Both cover Claude Code, GitHub, Microsoft; overlapping topics (agent, claude, code, microsoft); earlier Claude Code coverage from 2026-04-28.
A Markdown File Got 44K Stars This Week. Skills Are the New Package Manager.
Both cover Claude Code, Gemini CLI, GitHub; overlapping topics (agent, claude, code, repo); earlier Claude Code coverage from 2026-04-25.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 9, 2026
- AI generated
- no
- Story unit
- 2026-06-09-self-replicating-miasma-malware-hit-70-microsoft-open-source-repos-stealing-credentials-the-inst
- Labels
- source-backed, canonical briefing excerpt