Miasma proves .cursor/ and .claude/ are attack surface now

The Miasma campaign's third wave did something registries cannot see. It skipped npm entirely, pushed a single commit into source repositories, and wired .claude/, .cursor/, .gemini/, VS Code tasks, and the npm test script to detonate a 4.3 MB payload the moment a developer cloned the repo and loaded it in an AI coding assistant. No install required. The vector is the editor.

GitHub disabled 73 Microsoft repositories on June 5 in a sweep that ran in 105 seconds. Credentials were already gone.

Three waves, each bypassing the last layer of defense#

The campaign ran in distinct phases. On June 1, Microsoft's Threat Intelligence team documented 32 packages compromised under the @redhat-cloud-services npm namespace, spanning more than 90 versions. The malicious preinstall hook executed a 4.29 MB dropper automatically on npm install, harvesting GitHub, AWS, Azure, GCP, Vault, and Kubernetes credentials, then republishing poisoned packages with forged SLSA provenance.

Two days later the entry point shifted. A 157-byte binding.gyp file, the configuration npm uses to signal native C/C++ builds, triggered node-gyp rebuild automatically. Researchers dubbed this technique "Phantom Gyp." Phoenix Security counted 57 compromised packages across 286 malicious versions by end of day on June 4, including @vapi-ai/server-sdk with roughly 408,000 monthly downloads.

The third wave was different in kind. Security researchers at SafeDep examined a compromise of the icflorescu/mantine-datatable project and four related repositories. They found a commit that added no dependencies but planted a payload runner wired to five tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script. The payload fires on repo load, before any install step runs.

What "wired to fire on load" actually means#

AI coding assistants treat certain directories as session configuration. .claude/ holds Claude Code's project-level commands. .cursor/ holds Cursor rules. .gemini/ holds Gemini CLI context. VS Code tasks in .vscode/tasks.json run on folder load when configured to do so. These files are not documentation. They carry executable instructions that the editor will act on with the full permissions of the logged-in developer.

A commit that adds one of these files passes through code review looking like a config tweak. It looks like the kind of change a contributor makes to improve their own workflow. The Microsoft payload used the commit message chore: update dependencies [skip ci] with a spoofed github-actions@github.com author. Ionut-Cristian Florescu documented five of his repositories receiving identical commits within a 49-second window on the night of June 3.

The payload hunts cloud keys from AWS, GCP, and Azure, scrapes GitHub Actions secrets from runner process memory, and targets local credential stores. Stolen material routes to attacker-controlled repositories on GitHub, using double-Base64 encoding in transit.

The gap these attacks exploit#

Supply-chain defenses accumulated over the last five years concentrate almost entirely on packages: SBOMs, provenance attestations, registry scanning, --ignore-scripts. Miasma validated the investment in package-layer defenses and immediately stepped around them. The source-repository technique requires no npm interaction whatsoever. Scanning the registry finds nothing. Attestation chains are irrelevant.

Sonar's analysis of the Mini Shai-Hulud variant, the predecessor Miasma derives from, noted that AI coding agents are infrastructure now, and their configuration files are attack surface. That framing is accurate but underspecified. The surface area is executable at a different point in the development loop than most teams are used to defending , before build, before test, at the moment of edit.

What code review needs to change#

Hyrax already reads these files during scanning. The pattern difference between a legitimate .claude/ entry and a weaponized one is visible at the diff level: a legitimate project-level command references relative paths, describes narrow project context, and does not reference external URLs, credential paths, or shell execution chains. The Miasma variant referenced ~/.claude.json specifically, which the Microsoft report flagged as a target for Anthropic key theft.

Three specific changes matter immediately. Every PR that adds or modifies .claude/, .cursor/, .gemini/, .vscode/tasks.json, or MCP server registrations should route to the same review queue as .github/workflows/. These are not decoration. Second, unknown MCP server URLs in config files should fail the scan outright until explicitly allowlisted. The MCP specification creates a new executable trust boundary that most teams have not catalogued. Third, commit author verification for changes to these files should be explicit, not inherited from branch protection settings that were written before AI editor config existed.

We covered the broader question of what AI coding tools introduce into a team's review surface in what actually changes the week your team adopts an AI coding tool. The short answer was: review time climbs faster than generation rate. Miasma adds a harder version of that problem. The thing being reviewed now includes the tool's own configuration.

The attackers' next move is already visible#

The Miasma payload includes a dormant exfiltration channel pointing to api.anthropic.com:443/v1/api, marked noop: true in the current sample. The Microsoft analysis notes the same domain is used to validate stolen Anthropic keys from ~/.claude.json. A dormant channel with a live validation path is not abandoned infrastructure. It is infrastructure waiting for an operator decision.

The AI-agent trigger technique is documented, the tooling targets are named, and the source-repository delivery path bypasses the entire layer of registry-level defenses the industry built. Any team that treats .claude/ as inert project metadata is running on an assumption Miasma already proved false.

Hyrax is live at hyrax.dev.