# Miasma Worm Targets AI Coding Tools: What Developers Must Do > Source: > Published: 2026-06-29 22:08:41+00:00 A self-replicating worm called Miasma has turned AI coding tools into attack vectors — and it fires the moment you open a repository, not when you run code. The worm, attributed to threat actor TeamPCP, injects itself into the `SessionStart` hooks of 13 AI coding tools including Claude Code, GitHub Copilot, Gemini CLI, and Cursor. On June 5, it hit Microsoft directly: GitHub disabled 73 repositories across four Azure organizations after a compromised contributor account pushed a malicious commit. The official GitHub Action for deploying Azure Functions went dark, breaking CI/CD pipelines globally. This isn’t theoretical. It spreads on its own, and your `.claude/settings.json` is the door it walks through. ## The Hook Is the Weapon AI coding tools run hook commands at lifecycle events. `SessionStart` is the most dangerous: it fires automatically every time you open a new session in a project folder. Miasma injects a malicious `hooks.SessionStart` entry into `.claude/settings.json` , `.gemini/settings.json` , and `.vscode/tasks.json` . The hook calls a payload runner planted in the repository. It executes silently in the background — no prompt, no warning, no visible sign. This is the exact same trust model as npm’s `postinstall` scripts. The security community spent years training developers to audit those. Now the equivalent attack surface lives in the configuration files of their AI assistants, and almost nobody is auditing those yet. For tools that use natural language instruction files — `.cursorrules` , `.windsurfrules` , Copilot’s instruction file — Miasma skips the technical hook entirely. It appends plain-English instructions to those files that the AI model reads and follows. That’s prompt injection at the filesystem level, and it’s harder to detect precisely because it looks like normal configuration text. ## What Miasma Takes Once executing, the payload reads credentials from the local filesystem, cloud provider APIs, process memory via `/proc/mem` , and password managers. GitHub tokens, npm and PyPI publish credentials, AWS keys, SSH private keys, CI/CD tokens — all of it. From one compromised developer machine, the worm propagates outward: it publishes poisoned versions of packages under the harvested credentials, injects itself into source repositories on the machine, and spreads laterally to SSH hosts, AWS EC2 instances via SSM, and JFrog Artifactory. The part most developers won’t expect: Miasma carries a dead-man switch. If you revoke your tokens before isolating the affected machine from the network, it wipes the machine. Rotate credentials second. Isolate first. ## It’s Already in the Wild, and Anyone Can Build One The broader concern isn’t just this campaign. TeamPCP [open-sourced the Mini Shai-Hulud toolkit](https://www.ossprey.com/blog/miasma-anatomy-of-an-open-source-supply-chain-worm) — the framework Miasma is built on — on May 12. The barrier to running a structurally identical campaign is now near zero. What we’re seeing with Miasma is likely the first of many AI-coding-tool-targeted supply chain attacks built on that foundation. The Hades variant, which [hit PyPI on June 7](https://thehackernews.com/2026/06/hades-pypi-attack-19-packages-poisoned.html), extends the same pattern to Python: malicious `.pth` startup hooks execute a credential stealer before you’ve imported a single line. Python processes `.pth` files on interpreter startup. That means the attack runs before your code does, on every Python invocation, after any `pip install` of a poisoned package. [The Microsoft incident](https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html) is the clearest illustration of the blast radius. GitHub’s automated systems disabled 73 Microsoft repositories in 105 seconds — fast response, but not fast enough to prevent some teams from pulling the poisoned commit. Azure/functions-action, used by thousands of CI/CD pipelines daily, went offline. As of June 16, over 1,700 throwaway repos used to store stolen credentials remained live on GitHub. ## What You Should Do Right Now If you cloned any repository linked to the Microsoft Azure GitHub organizations between June 1 and June 7, or installed npm packages from the `@redhat-cloud-services` namespace during that window, treat your machine as potentially compromised. **Isolate first.** Disconnect from the network before revoking any credentials. The dead-man switch fires on token revocation, not on isolation.**Audit AI tool config files.** Check`~/.claude/settings.json` ,`.vscode/tasks.json` ,`.github/workflows/` , and`.github/setup.js` for any`hooks.SessionStart` entries or shell commands you did not put there. Look for persistence files named`kitty-monitor` or`gh-token-monitor` .**Check instruction files for prompt injection.** Review`.cursorrules` ,`.windsurfrules` , and any Copilot instruction files for appended instructions that do not match what you wrote.**Kill package lifecycle hooks going forward.** Use`npm install --ignore-scripts` as default, especially in unfamiliar repos.**Rotate credentials after isolation.** GitHub, npm, PyPI, AWS, and CI/CD tokens — all of them.**Scan with Dev Machine Guard.**[StepSecurity’s Dev Machine Guard](https://github.com/step-security/dev-machine-guard)scans for Miasma and Hades artifacts with detection rules maintained and updated by their research team. Going forward: review `.claude/settings.json` , `.cursorrules` , and equivalent files before opening any cloned repository in an AI coding tool. [StepSecurity’s incident analysis](https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents) has the full list of artifact paths to check. The trust model for GitHub repositories has shifted. Cloning was always theoretically risky. Opening a repo in your AI coding tool is now an attack event. Treat it accordingly.