Incident · curated 27 Jun 2026
First reported 8 Jun 2026 · 18d ago
Single-source incident — first reported, latest, and curated coincide.
This shows a self-propagating supply-chain worm weaponizing AI coding agents to harvest credentials, turning developer copilots into an attack vector inside trusted repositories.
On June 5, 2026, the Miasma worm campaign pushed a malicious commit to Microsoft's Azure/durabletask repository via a compromised contributor account, planting configuration files that execute a credential-harvesting payload when developers open the repo in AI coding agents like Claude Code, Gemini CLI, Cursor, or VS Code. GitHub disabled 73 repositories across four Microsoft organizations in response.
Why it matters
This shows a self-propagating supply-chain worm weaponizing AI coding agents to harvest credentials, turning developer copilots into an attack vector inside trusted repositories.