PERMISSION/PROTOCOL
Back to incident tracker

2026-06-05

CriticalVendor post

Miasma Supply-Chain Worm Disables 73 Microsoft GitHub Repos — AI API Tokens and Developer Credentials Stolen via Agent Config Injection

The Miasma worm infected 73 Microsoft GitHub repositories via poisoned agent config files that executed credential harvesters when developers opened repos in Claude Code, Cursor, or Gemini CLI — stealing AI API tokens, GitHub tokens, and cloud credentials.

GitHub Actions / Supply Chain (Miasma Worm)Credential exposureSupply chain worm / AI coding agent config injection / credential exfiltrationMicrosoft GitHub organizations (Azure, microsoft, Azure-Samples, MicrosoftDocs) / developer credentials / AI API tokens / cloud infrastructure credentials

What happened

Attacker pushed five config files to Azure/durabletask via a compromised contributor account, using [skip ci] to bypass CI/CD. Files registered malicious SessionStart hooks in Claude Code and Gemini CLI settings, a prompt injection rule in Cursor, an auto-task in VSCode, and a 4.6 MB obfuscated payload executed by all four agent environments.

Why it matters

73 Microsoft GitHub repositories disabled. 15,000+ tokens revoked (GitHub, npm, AI API keys, cloud credentials for AWS/Azure/GCP/Kubernetes). Worm self-propagated into additional repositories via stolen write-access tokens. The attack vector was specifically designed to exploit AI coding agent session initialization.

Missing authorization check

Agent startup configuration should require a signed external authorization receipt before executing any session hook code. An external authority chain over agent session initialization would have blocked the malicious hooks from executing regardless of what the config files contained — the credential exfiltration step would require its own receipt.

Would PP block it?

Full coverage requires two layers: (1) a Credential Gate requiring a signed receipt before any agent session reads or transmits credentials — blocking the exfiltration step regardless of how the malicious code was planted; (2) a Runtime Gate on agent SessionStart hooks to require provenance verification of startup code. The first layer is within PP's current enforcement model. The second requires config signing infrastructure PP could enforce at the session-init boundary.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-05-19

    First Miasma wave: PyPI package durabletask versions 1.4.1-1.4.3 poisoned with credential-harvesting payload, linked to TeamPCP infrastructure.

  2. 2026-06-05

    Attacker pushes five malicious agent config files to Azure/durabletask via compromised contributor account with [skip ci] flag bypassing CI/CD checks.

  3. 2026-06-05

    Config files execute credential harvester when developers open the repo in Claude Code, Gemini CLI, Cursor, or VS Code — stealing AI API tokens and cloud credentials.

  4. 2026-06-05

    Worm self-propagates using stolen GitHub write tokens. GitHub automated enforcement disables 73 repositories across four Microsoft organizations within 105 seconds (16:00:50–16:02:35 UTC).

  5. 2026-06-05

    Microsoft revokes 15,000+ tokens. Attack confirmed linked to TeamPCP infrastructure via secondary C2 domain, tying incident to broader Miasma campaign targeting TanStack, Mistral AI, and @antv ecosystem.

Technical breakdown

  • Five planted files achieved multi-vector execution: .claude/settings.json and .gemini/settings.json with SessionStart hooks, .cursor/rules/setup.mdc as prompt injection, .vscode/tasks.json for automatic task execution, and .github/setup.js (4.6 MB obfuscated payload) executed by all four agent environments.
  • Agent config files are trusted by design — Claude Code, Gemini CLI, and Cursor execute SessionStart hooks automatically at session initialization, creating a zero-click attack surface for anyone who can write to a repo's config directory.
  • The [skip ci] flag bypassed all CI/CD checks, meaning the malicious commit reached developers before any automated analysis could flag it — CI/CD is not a defense against repo-level config file injection.
  • The worm used stolen GitHub tokens to self-propagate — any developer credential with write access to other repositories became a propagation vector, creating exponential spread.
  • Variant of the Mini Shai-Hulud worm publicly released by TeamPCP in mid-May 2026, demonstrating that supply chain worm toolkits are now publicly available and being adapted for enterprise targets.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Agent session initialization, credential access gate, config provenance verification
Still needs
Agent config file provenance is not currently verified by external authority chains. The attack exploited the gap between 'config file present in repo' and 'config file authorized for execution.'
Receipt required for
Agent session hook execution, AI API token access, cloud credential reads, cross-repo write operations using harvested tokens

PP's Credential Gate would require authorization before AI API credentials are accessed or transmitted, blocking the exfiltration step. It would not prevent the config files from being planted, but would intercept the credential access action itself.

Start small

Put the relevant gate at this action boundary.

This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop