Miasma Worm Targets AI Coding Agents via GitHub Repo Config Injection

AI relevance: The Miasma worm's GitHub repo persistence arm weaponizes auto-run configuration files in Claude Code, Gemini CLI, Cursor, and VS Code — turning every clone-and-open action into a credential-harvesting event for developers who use AI coding agents on infected repos.

What happened

• Alongside the 57-package Phantom Gyp npm registry wave (June 3), the Miasma worm executed a parallel attack directly on GitHub source repositories, documented by SafeDep and The Hacker News.
• The attacker pushed commits titled chore: update dependencies [skip ci] to 120+ repos across multiple accounts, adding no dependencies but planting a 4.3 MB credential-harvester dropper.
• The attack wire-triggers execution through five separate developer-tool auto-run surfaces, all pointing at the same payload (.github/setup.js):
• Claude Code & Gemini CLI: A SessionStart hook in .claude/settings.json and .gemini/settings.json runs node .github/setup.js on every agent session open.
• Cursor: A project rule in .cursor/rules/setup.mdc with alwaysApply: true instructs the agent to execute the dropper — social-engineering the assistant into running it.
• VS Code: A runOn: "folderOpen" task in .vscode/tasks.json triggers the payload when the developer opens the folder, requiring no agent at all.
• npm test: The package.json test script is replaced with the dropper, so CI pipelines and any developer running tests also detonate it.
• Cloning is safe; opening the folder in a tool is the detonation trigger.

AI coding agent attack surface

• Targets include Microsoft Azure's durabletask repo (1,718 stars), where the attacker used a stolen PAT from a real Microsoft contributor and backdated the commit to 2020 to hide in a dormant branch.
• The icflorescu/mantine-datatable maintainer's account was suspended; his wife disclosed the incident on his behalf.
• The dropper uses a Caesar-shift-obfuscated character-code array (shift of 4) that AES-128-GCM decrypts to the Bun-based credential harvester.
• The harvester targets AWS, GCP, Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyGems, PyPI, SSH, password managers, and AI assistants.

Why it matters

• AI coding agents trust project-level config files (Claude Code hooks, Cursor rules, Gemini settings) — this attack abuses that trust model to achieve zero-click execution.
• The five-trigger approach ensures detonation whether the developer uses AI agents or plain VS Code — maximizing blast radius.
• GitHub is becoming a persistence layer for supply-chain worms, bypassing npm registry detection entirely.
• Backdated, unsigned commits from stolen identities make detection and attribution significantly harder.

What to do

• Audit recent commits across repos you clone, looking for additions of .claude/settings.json, .cursor/rules/, .gemini/settings.json, or .vscode/tasks.json with runOn: folderOpen.
• Disable auto-run hooks in AI coding agents until you've reviewed the project. Claude Code and Cursor both allow session-level confirmation before executing hooks.
• Check package.json test scripts for unexpected file execution before running tests on unfamiliar repos.
• Rotate any credentials that may have been exposed if you opened an infected repo.
• Monitor github.com for suspicious commits authored as github-actions[bot] or claude@users.noreply.github.com.

Sources

• SafeDep — Miasma Worm Targets AI Coding Agents via GitHub Repos
• The Hacker News — IronWorm and New Miasma Worm Variant Hit npm
• The Hacker News — Miasma Worm Hits 73 Microsoft GitHub Repositories
• mantine-datatable maintainer disclosure (GitHub Discussions)