Miasma (worm)
Miasma is a self-propagating supply-chain worm that steals developer credentials and cloud secrets by hijacking npm packages, PyPI packages, and GitHub repository configuration files. Built on the publicly released Mini Shai-Hulud codebase open-sourced by threat group TeamPCP on May 12, 2026, Miasma adds new attack vectors targeting AI coding agents.
The campaign opened June 1, 2026, compromising 32 @redhat-cloud-services npm packages (80,000 weekly downloads) via hijacked CI/CD credentials. A June 3 wave introduced "Phantom Gyp" to evade install-hook scanners. By June 5, GitHub disabled 73 Microsoft repositories — including the Azure Functions GitHub Action — after Miasma planted configuration hooks that fire when a developer opens the repo in Claude Code, Gemini CLI, Cursor, or VS Code.
On June 5, 2026, a malicious commit to Azure/durabletask planted five files: `.claude/settings.json` hooking Claude Code's SessionStart, `.gemini/settings.json` for Gemini CLI, `.cursor/rules/setup.mdc` using prompt injection, `.vscode/tasks.json` triggering on folder open, and `.github/setup.js` — a 4.6 MB obfuscated JavaScript payload that harvests AWS, Azure, GCP, Kubernetes, and 90+ developer tool credentials before self-propagating to any accessible repository.
Think of it as a hotel door-propping attack: one compromised key card lets the worm walk into every room on the floor.
Search Interest Placeholder
make et-enrich-trends.
-
Nascent0–7 days
-
Emergent ← now8–30 days
-
Validating31–90 days
-
Rising91–180 days
-
Established180 days +
Why is it emerging now?
Miasma is the first worm to weaponize AI coding agent config files for persistence. Its June 1–5 waves hit Red Hat (32 npm packages) then Microsoft (73 GitHub repos including Azure Functions Action). With Mini Shai-Hulud open-sourced May 12, any threat actor can now clone and deploy this capability.
Outlook
6-month signal projection and commercial timeline.
AI coding agent config files are a new attack surface; every team using Claude Code or Cursor needs a mitigation playbook within weeks.
Risk · If Microsoft and Red Hat revoke all stolen tokens, the campaign's spread mechanism collapses fast.
Analogs · XZ Utils backdoor · SolarWinds supply chain · event-stream malware
-
nowSecurity briefings in demand
Teams scrambling to audit repos for injected config files; incident-response and tooling guidance commands premium.
-
3-6moAI agent hardening tools
Vendors build scanning products to detect malicious .claude/settings.json and .cursor/rules injections before developers open repos.
-
6-12moPolicy and compliance layer
Enterprise AI coding agent governance frameworks emerge; compliance auditors add AI-agent config to supply chain review checklists.
Competition & Opportunity for term “Miasma (worm)”
Three heuristic signals derived from the tracked queries, the term's monetization cards, and its cluster neighbors. Directional, not audited.
Ideas for term “Miasma (worm)”
Buildable pitches — turn this term into an article, site, product, post, newsletter, video, or course. Steal any card and run with it.
High-intent explainer for the 'miasma worm' and 'miasma supply chain attack' queries; zero competition from pre-existing pages — this term is brand-new.
Practical checklist article targeting developers asking how to verify their repos are clean; step-by-step detection of .claude/settings.json, binding.gyp payloads.
Comparative explainer for security professionals evaluating risk frameworks; angles on why config-file injection evades SLSA provenance checks.
A lightweight GitHub Action or pre-commit hook that flags unexpected .claude/, .gemini/, or .cursor/rules/ changes; directly fills the gap Miasma exposed.
SaaS tool that scans GitHub org repos for Phantom Gyp patterns, rogue binding.gyp files, and AI agent session hooks — SOC team audience.
Recurring briefing tracking npm/PyPI/GitHub worm campaigns for platform-engineering and AppSec teams; Miasma is the hook for launch issue.
Technical YouTube walkthrough with a sandboxed reproduction; exploits the visceral 'it happens on clone' angle for security YouTube audience.
The Miasma worm didn't exploit a zero-day. It put a file in .claude/settings.json and waited for you to open the repo.
The Azure Functions GitHub Action was disabled for 30+ minutes on June 5 because a credential stolen on May 19 was still valid 17 days later.
Mini Shai-Hulud source code went public on GitHub on May 12, 2026 — and within 20 days a new variant called Miasma had compromised Red Hat, then Microsoft.
What People Search
Long-tail queries from Google Suggest + Trends. Volume and competition are heuristics — directional, not audited. Content Type comes from query shape.
SERP of term “Miasma (worm)”
What searchers see today — organic results on top, paid ads if anyone's bidding. Ad density is a real-time commercial signal.
FAQ
What is Miasma (worm)?
Miasma is a self-propagating supply-chain worm that steals developer credentials and cloud secrets by hijacking npm packages, PyPI packages, and GitHub repository configuration files.
Why is Miasma (worm) emerging now?
Miasma is the first worm to weaponize AI coding agent config files for persistence. Its June 1–5 waves hit Red Hat (32 npm packages) then Microsoft (73 GitHub repos including Azure Functions Action). With Mini Shai-Hulud open-sourced May 12, any threat actor can now clone and deploy this capability.
When did Miasma (worm) emerge?
Publicly emerged around 2026-06-01 (about 9 days ago as of 2026-06-10). EarlyTerms first recorded a pipeline signal on 2026-06-09.
Related Terms
Other terms in the same space — aliases, subtypes, competitors, and neighbors to explore next.
- Related agent-traps "Agent traps" is the shorthand English phrase that maps one-to-one to AI Agent Traps, the taxonomy Google DeepMind published on March… →
- Related claude-code Claude Code is Anthropic's official command-line coding agent — a terminal tool that reads your codebase, edits files, runs commands,… →
- Related coding-agents Coding Agents is the category name for AI developer tools that act on code autonomously — reading a repo, planning a change, editing… →
- Related agentic-coding Agentic coding is the software-development pattern where an autonomous AI agent plans, writes, tests, and iterates on code against a… →
- Related agents-md AGENTS.md is an open, vendor-neutral markdown file placed at the root of a repository that tells AI coding agents (Claude Code, Codex… →
- Related protestware Protestware is open-source software that a maintainer intentionally sabotages to deliver a political or social message, targeting users… →
- Related stop-hook A Stop hook is the Claude Code lifecycle event that fires every time the agent finishes a response turn. →
- Related webhook-secrets A webhook secret is a shared string used to authenticate webhook deliveries: the sender computes an HMAC signature over the payload with… →
- Related npmx npmx is an open-source, community-built alternative web frontend for the npm registry, offering modern UX features the official… →
- Part of ·
- Includes
Sources
Primary URLs this report cites — open any to verify the claim yourself.
- 01 Snyk: Miasma supply chain attack — malicious code in RedHat-cloud-services npm (Jun 1, 2026) snyk.io ↗
- 02 StepSecurity: Miasma Worm Hits Microsoft — Azure Functions Action and 72 Other Repos Disabled (Jun 8, 2026) stepsecurity.io ↗
- 03 StepSecurity: Miasma npm Supply Chain Attack — Phantom Gyp self-spreading worm (Jun 4, 2026) stepsecurity.io ↗
- 04 SafeDep: Miasma Worm Targets AI Coding Agents via GitHub Repo Config Injection (Jun 5, 2026) safedep.io ↗
- 05 Microsoft Security Blog: Preinstall to Persistence — Inside the Red Hat npm Miasma Campaign (Jun 2, 2026) microsoft.com ↗
- 06 Wiz Research: Miasma Supply Chain Attack Targeting RedHat npm Packages (Jun 2, 2026) wiz.io ↗
- 07 Snyk Vulnerability DB: SNYK-JS-REDHATCLOUDSERVICESHCCFEOMCP-17117403 — Critical 9.3 CVSS (Jun 1, 2026) security.snyk.io ↗
- 08 SafeDep Threat Intelligence: Miasma — The Spreading Blight campaign tracker (ongoing) safedep.io ↗