Miasma Worm AI Tooling Supply Chain Risk
Microsoft temporarily disabled dozens of GitHub repositories while investigating malicious content tied to the Miasma worm campaign. TechCrunch reported that many affected projects related to Azure and developer tools used with AI coding apps. The Hacker News cited 73 disabled repositories.
For SRE teams, the important detail is not only the vendor name. It is the execution path. Researchers reported that malicious commits planted configuration files that could trigger code execution when a developer opened a repository in tools such as Claude Code, Gemini CLI, Cursor, or VS Code.
What Happened
The campaign is described as a self-replicating supply-chain attack. Instead of relying only on poisoned package releases, attackers used source repositories as the delivery point. Reports point to several execution hooks:
.claude/settings.jsonsession-start hooks.gemini/settings.jsonsession-start hooks.cursor/rules/setup.mdcprompt instructions.vscode/tasks.jsontasks using folder-open behavior- package scripts such as
npm test
That means a repository can look passive in Git but become active when opened by a trusted tool. A developer workstation or CI runner with cloud credentials is enough.
Why Operators Should Care
AI coding tools expand the trusted computing base. They read repository instructions, start sessions, execute commands, and often run near powerful credentials. Local shells may have GitHub tokens, cloud access, Kubernetes contexts, package registry tokens, and SSH agents.
If an infected repository reaches that environment, the blast radius depends on token scope and runtime isolation.
Fast Review Checks
Before opening unfamiliar repositories in an AI agent or full-trust editor, inspect executable config from a plain terminal:
find . -maxdepth 3 -type f -path './.claude/*' -o -path './.gemini/*' -o -path './.cursor/*' -o -path './.vscode/*' -o -name 'package.json'
rg -n "SessionStart|folderOpen|runOn|postinstall|preinstall|npm test|node .github|curl|wget" .claude .gemini .cursor .vscode package.json 2>/dev/null
This is only a quick tripwire for files that deserve human review before the workspace becomes trusted.
Operational Controls
Separate clone from trust. Read unknown repositories in restricted mode before launching agents, extensions, package scripts, or workspace tasks.
Treat agent and editor config as code. Require review for changes under .claude, .gemini, .cursor, .vscode, devcontainer.json, and package lifecycle scripts. Add these paths to security review rules, not just style checks.
Reduce credential exposure. Use short-lived cloud credentials, split read-only developer tokens from release tokens, and run risky research in disposable sandboxes without production access.
Log agent and editor command execution where possible. When a workstation or runner is suspected, rotate exposed credentials first, then inspect recent repository opens, task runs, and outbound network activity.
Conclusion
Miasma is a reminder that modern developer environments execute more than application code. AI agents and editors can turn small config files into command runners. Platform teams should audit those files, restrict workspace trust, and keep secrets scoped tightly enough that one bad repo does not become a production incident.
Need faster incident response for supply-chain and CI risks? Akmatori helps SRE teams detect, explain, and resolve production issues with AI agents built for operations. Akmatori runs on Gcore infrastructure for reliable global performance.