The second supply-chain attack on official Microsoft repositories in just two months was precisely targeted at developers using AI coding agents. The Miasma worm compromised 73 npm packages published from Microsoft's GitHub account and triggered a malicious payload exactly when a victim opened a project in tools such as Claude Code, Gemini CLI, Cursor, or VS Code.
Key takeaways
- 73 Microsoft npm packages compromised by group TeamPCP using the Miasma worm
- Payload triggered when project opened in AI agents: Claude Code, Cursor, Gemini CLI, VS Code
- Stealer harvests credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer tool configurations
- Worm self-replicates by infecting other developer machines and CI/CD pipelines
- Same Microsoft account that was already compromised in May 2026
Attack mechanism: SLSA as a weapon
In early May 2026, StepSecurity documented the first breach — the compromise of the durabletask package on PyPI, downloaded 400,000 times a month. That attack followed nearly the same blueprint: Microsoft's publishing credentials were stolen and used to inject malicious payload bypassing the repository build pipeline. The operation was staged through an account on GitHub — a platform owned by Microsoft.
The second incident, which occurred in late May 2026, is more serious in scale — 73 packages instead of one. The attack architecture itself reflects a troubling trend in cybersecurity: the Miasma worm does not exploit any vulnerability in GitHub or npm software. Instead, it exploits the trust model of the modern engineering ecosystem. The attacker stole a legitimate Microsoft OIDC token — the very cryptographic integrity verification mechanism meant to guarantee artifact security under the SLSA standard. As a result, hash-based security scanners were helpless, because the worm generates a uniquely encrypted payload for every infection.
AI agents as an infection vector
The detail that distinguishes this attack from dozens of supply-chain incidents in recent years is its deliberate targeting of developers using AI coding agents. The stealer did not activate at package installation — it fired only when a project was opened in Claude Code, Cursor, Gemini CLI, or VS Code with AI extensions. This is a deliberate choice: AI agents have broad access to the filesystem, environment variables, and cloud tokens as part of their core workflow, and they operate in an autonomous mode without per-operation developer oversight.
The payload harvested credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then attempted to spread across the victim's cloud infrastructure and infect other developer machines and CI/CD environments. This makes Miasma a classic network worm — except it uses trusted open-source packages as a propagation channel rather than system vulnerabilities.
Comparison with a standard supply-chain attack
Traditional supply-chain attacks, like the notorious xz utils incident of 2024, required months of effort to inject a backdoor into a repository. Miasma works differently: the attacker steals the account owner's credentials and publishes a malicious package version as its legitimate maintainer. The window from credential theft to malicious code deployment is hours, not months. Furthermore, the package arrives with a valid SLSA signature — the very mechanism the industry introduced to defend against this type of attack.
Red Hat, whose npm packages were compromised in a parallel Miasma attack, precisely explained where SLSA's boundaries fall short: the standard confirms that a package was built from a specific source and was not modified in transit — but it does not protect against a scenario where the attacker has taken control of that source.
Microsoft and GitHub response
Microsoft's response to both incidents drew criticism from security researchers. GitHub initially removed the packages citing a "violation of GitHub's terms of service" — with no mention of malicious content. Only several days after the incident did Microsoft acknowledge that it had "temporarily removed some repositories as we investigate potential malicious content." For developers who had already opened compromised projects in an AI agent, this delay may mean their credentials are already in attacker hands.
An additional question Microsoft has not yet answered is how the same credentials were stolen twice. Possible explanations include incomplete credential rotation after the May incident, or a separate infection of a Microsoft developer machine by another package that stole the new credentials.
Why it matters
This attack signals a qualitative shift in the supply-chain threat landscape. For years, the primary targets of supply-chain attacks were production servers — now attackers are explicitly targeting developer environments, and specifically workstations running AI coding agents.
This is not coincidental. Tools such as Claude Code, Cursor, and Gemini CLI have access to cloud credentials, API tokens, and infrastructure configuration as a basic requirement of their work. A developer who trusts an agent with access to their AWS environment is effectively extending their security trust boundary beyond their own machine — to the entire ecosystem of tools the agent uses. Attackers identified this point and exploited it.
SLSA, the trust mechanism introduced specifically to prevent supply-chain attacks, proved to be a double-edged sword in this scenario: it gave malicious packages an appearance of legitimacy. The problem is not with SLSA itself — the standard does what it was designed to do — but with the mistaken assumption that cryptographic provenance verification is sufficient when the publisher account itself has been taken over.
For the industry, this means that deploying AI tools in the development process requires a separate threat model analysis. AI agents are not ordinary code editors — they are autonomous systems with infrastructure access, and every package an agent processes becomes a potential attack vector.
What's next?
- Developers who opened any of the 73 compromised packages in an AI agent should treat all credentials from the compromised environment as stolen and rotate them immediately.
- Microsoft has not disclosed how the same credentials were stolen twice for the same account — the company's answer to this question will be critical for assessing whether the problem has actually been resolved.
- The incident will likely accelerate industry discussion around extending trust models for AI agents — analogously to how SLSA was introduced after earlier waves of supply-chain attacks.
