Miasma: AI Coding Agents Are Now the Supply Chain Attack Surface

GitHub disabled 73 Microsoft repositories in 105 seconds on June 5, 2026, after the Miasma worm spread across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations. The entry vector was not a dependency install or a phishing link. It was a developer loading a trusted repository in an IDE where an AI coding agent had filesystem and credential access by default. The attack surface has moved.

What Miasma Actually Does#

The campaign began June 1, 2026, when researchers at Wiz and concurrent firms identified malicious code in at least 32 packages under the @redhat-cloud-services npm namespace, reaching an estimated 80,000 weekly downloads. Red Hat disclosed the incident as RHSB-2026-006 the same day.

The initial compromise stemmed from a single Red Hat employee's GitHub account. Credentials for that account had appeared in commercial infostealer logs as early as April 13, 2026, nearly seven weeks before the attack. Attackers used that account to push orphan commits into the RedHatInsights/javascript-clients CI/CD pipeline, abusing GitHub Actions' OpenID Connect trusted-publishing mechanism to mint valid, short-lived npm tokens and publish backdoored packages bearing forged SLSA provenance attestations.

The payload itself is a 4.29 MB dropper concealed under four sequential obfuscation layers: ROT-based character-code decoding, AES-128-GCM decryption, obfuscator.io string-array protection, and a custom PBKDF2-HMAC-SHA-256 cipher with 200,000 iterations. It downloads the Bun JavaScript runtime and stages a second execution phase. The resulting process chain, node → shell → bun → payload, was designed to fall outside Node.js-focused monitoring and evade endpoint detection rules written against standard npm attack patterns. Before executing sensitive operations, the payload actively probes for CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner.

The AI Coding Agent Vector#

Three days after the June 1 Red Hat compromise, a second wave targeted @vapi-ai/server-sdk (71,000 weekly downloads), ai-sdk-ollama (31,000 weekly downloads), and 55 other packages, with 647,204 total monthly downloads in scope. First infection in that wave was confirmed at 02:46:12 +0800 on June 4, 2026.

By June 5, researchers at SafeDep had documented Miasma planting payloads that fire when a developer loads an affected project in Claude Code, Cursor, Gemini CLI, or VS Code. This is the part the standard supply chain narrative misses. The worm does not wait for an install command. It uses the agent's ambient access , filesystem, credentials, network , as its execution context.

The payload installs to a path beginning with .claude/, deliberately coinciding with the directory associated with Claude Code. The second-stage runs via bun run .claude/. A developer or security scanner looking at that path would see what looks like expected AI assistant state. The credential scope is comprehensive: GitHub tokens, npm tokens, AWS IAM credentials via IMDS, Azure IMDS OAuth2 tokens, GCP service-account tokens, HashiCorp Vault, Kubernetes service-account tokens, SSH keys, browser credentials, and Anthropic API keys read from ~/.claude.json.

One exfiltration channel targets api.anthropic.com:443/v1/api in dormant form, flagged noop: true in the captured sample. The same domain validates stolen Anthropic keys. That channel is swappable.

The Unscoped Access Problem#

Every AI coding agent running today has standing access to whatever the developer can touch. No time limit. No task scope. No automatic credential isolation. When a developer loads a repository, the agent can read environment variables, traverse the filesystem, and make network calls. That is not a bug in Claude Code or Cursor. It is the design assumption that made these tools fast to adopt.

Miasma is the first worm that exploits that assumption at scale. The attack surface it found is not a CVE. It is the default permission model of every AI assistant running in a development environment.

Three things in particular deserve immediate attention from any team running these tools. What credentials sit in or adjacent to the agent's working directory, including .env files, ~/.npmrc, cloud CLI credential paths, and SSH keys. What auto-executes when a repository is cloned or loaded, specifically MCP server configurations, preinstall hooks, and agent instruction files like CLAUDE.md or agent.md. And whether the current code review process would catch a malicious agent config or hook arriving in an incoming pull request, because those files carry the same execution privileges as application code.

What Code Review Misses#

Agent configuration files committed to repositories are not reviewed with the same scrutiny as application logic. They read like documentation. An agent.md that instructs Claude Code to run a shell command on project startup, or an MCP server config that phones home during initialization, would pass most human reviews without comment.

Hyrax flags these patterns during scan output, because an unreviewed agent config with filesystem access is functionally equivalent to an unreviewed .env file , except it executes. The Miasma payload exploited exactly this gap. It hid in paths that AI tooling was expected to use. It committed changes with chore: update dependencies [skip ci] using a spoofed github-actions@github.com identity. It spread through 118 GitHub repositories before the June 5 takedown.

For a closer look at how Hyrax approaches the six agent domains that include security and ops, the architecture is covered in the audit walkthrough.

What Comes Next#

The Miasma wave is not a one-time event. The second wave bypassed postinstall monitoring via binding.gyp, demonstrating active adaptation to defensive measures. The threat actor group TeamPCP has operated under at least four aliases and ran three connected campaigns in roughly five weeks between late April and late May 2026. The codebase is publicly released, meaning copycat actors can replicate it without attribution.

Supply chain attacks have historically targeted the package registry. Miasma targets the developer's machine, specifically the most privileged process on that machine: the AI coding agent. The registry-level defenses built over the last five years are largely irrelevant to that vector. The audit discipline, review culture, and access scoping that come next will need to be built differently.

Hyrax is live at hyrax.dev.