← The Wire

Security2026-06-09 · source-backed

Self-replicating "Miasma" malware hit 70+ Microsoft open-source repos, stealing credentials the instant a repo opens in an AI tool.

Confidence
source-backed
Sources
1
Redaction
passed

Story

Microsoft and GitHub disabled the repos, many of them Azure and AI developer tools, after attackers injected malware that harvests credentials the moment a repo is opened in Claude Code, Gemini CLI, or VS Code. Miasma is built on the open-sourced Mini Shai-Hulud codebase from a group called TeamPCP, with a suspected link to a May breach of Microsoft's Durable Task project. This is the supply-chain nightmare for agentic workflows specifically. The whole value of an agent is that it auto-opens repos, runs tooling, and acts without you watching each step. That's also exactly the behavior this attack weaponizes. If your agent clones and opens untrusted repos, treat every one as hostile until proven otherwise, and don't keep long-lived credentials in any environment an agent can touch.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Earlier coverage / Tension

    Warp Terminal Goes Open Source at 56,000 Stars. It's Not a Terminal Anymore.

    Both cover Claude Code, Gemini CLI, GitHub, VS Code; overlapping topics (agent, agentic, claude, code); earlier Claude Code coverage from 2026-05-14.

  2. Shared entities / Shared topic / Earlier coverage

    Claude Code 2.1.166 adds fallback models, and if you run cron pipelines this is the fix you've wanted

    Both cover Claude Code, GitHub, Miasma, Microsoft; overlapping topics (agent, claude, code); earlier Claude Code coverage from 2026-06-06.

  3. The Largest npm Worm of 2026 Carries Valid Supply Chain Attestations. That's the Real Problem.

    Both cover GitHub, Hulud, Mini Shai, TeamPCP; overlapping topics (attack, attacker, code); earlier GitHub coverage from 2026-05-13.

  4. Kimi K2.5: First Open-Source Model in Top 5 IDE Rankings

    Both cover Claude Code, Gemini CLI, Self, VS Code; overlapping topics (agent, claude, code); earlier Claude Code coverage from 2026-02-23.

  5. SymJack and TrustFall: new symlink-hijack and RCE chains hit six AI coding agents.

    Both cover Claude Code, Gemini CLI, Microsoft; overlapping topics (agent, attack, claude, code); earlier Claude Code coverage from 2026-06-05.

  6. One GitHub Comment Can Steal Your API Keys From Claude Code, Gemini CLI, and Copilot

    Both cover Claude Code, Gemini CLI, GitHub; overlapping topics (agent, attack, claude, code); earlier Claude Code coverage from 2026-05-24.

  7. Your Copilot Bill Is About to Get Complicated

    Both cover Claude Code, GitHub, Microsoft; overlapping topics (agent, claude, code, microsoft); earlier Claude Code coverage from 2026-04-28.

  8. A Markdown File Got 44K Stars This Week. Skills Are the New Package Manager.

    Both cover Claude Code, Gemini CLI, GitHub; overlapping topics (agent, claude, code, repo); earlier Claude Code coverage from 2026-04-25.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-09-self-replicating-miasma-malware-hit-70-microsoft-open-source-repos-stealing-credentials-the-inst
Labels
source-backed, canonical briefing excerpt