Miasma npm Worm: A Self-Spreading Supply Chain Attack Reaches Microsoft's GitHub
A self-spreading npm worm called Miasma reached 73 Microsoft GitHub repos on June 5. What Phantom Gyp is, how it uses AI coding agents, and what changed.
On June 5, 2026, GitHub disabled 73 repositories across four of Microsoft's GitHub organizations after a self-spreading npm worm known as Miasma reached the company's code, according to reporting by The Next Web. The affected organizations were Azure, Azure-Samples, Microsoft, and MicrosoftDocs, and the takedown sweep ran in 105 seconds.
The short answer is that the worm reached Microsoft indirectly: it spread from poisoned npm packages by stealing maintainer tokens, then used that write access to commit itself into the company's code. The Next Web reported that the entry point was a malicious commit to the Azure/durabletask repository, pushed with a contributor account that had already been compromised.
The Microsoft incident was not the start of the campaign. It was the most visible point in a week of npm supply chain attacks that began with a compromise of Red Hat's packages and introduced a way to run code that routes around the defenses most scanners rely on.
What was disabled, and how the takedown ran
GitHub's removal hit 73 repositories at once, including ones tied to the Azure Functions and Durable Task projects, The Next Web reported. The same count across the four Microsoft organizations was reported by The Hacker News and the threat intelligence site OpenSourceMalware.
By OpenSourceMalware's account, the worm creates large numbers of repositories that the attacker controls and uses them as drop points for stolen data, and that volume of new repository creation is, in its reading, what tripped GitHub's automated terms-of-service enforcement. On that interpretation, the 105-second sweep is consistent with an automated trip rather than a manual response.
How the worm reached an account with write access to Microsoft's code is the open question. Security researcher Paul McCarty, quoted by The Next Web, tied it to an earlier compromise of the same durabletask project the previous month and said, "Whoever held those credentials in May plausibly never fully lost them." That is an assessment rather than a confirmed chain, and Microsoft had not published a root cause account of the contributor account at the time of writing.
The week before Microsoft
The campaign was already running when it reached Azure. Two earlier waves preceded it.
On June 2, the Microsoft Security blog disclosed a compromise of the @redhat-cloud-services npm namespace: 32 maliciously modified packages across more than 90 versions. By Microsoft's account, the infection began automatically during npm install, where a malicious preinstall hook ran a single obfuscated line of code without any user interaction, delivering a 4.29 MB dropper that harvested cloud and developer credentials.
A day later, on June 3, StepSecurity researcher Sai Likhith documented a separate, faster wave: 57 npm packages compromised across more than 286 versions in a rolling campaign that lasted under two hours. Among the affected packages were @vapi-ai/server-sdk, which StepSecurity put at more than 408,000 monthly downloads, and ai-sdk-ollama, at more than 120,000. GearBriefly earlier covered a poisoned VS Code extension update that spread through Nx Console, another recent supply chain compromise in the developer toolchain.
| Date | Event | Reported by |
|---|---|---|
| June 2 | Red Hat npm namespace compromise disclosed: 32 packages, 90+ versions | Microsoft |
| June 3 | Phantom Gyp wave: 57 packages, 286+ versions, under two hours | StepSecurity |
| June 5 | 73 Microsoft repositories disabled across four GitHub orgs in 105 seconds | The Next Web, The Hacker News, OpenSourceMalware |
The thread connecting the waves is the name the attacker chose. StepSecurity, Microsoft, and the later reporting all point to a worm whose repositories carry the description "Miasma: The Spreading Blight," and whose code, by StepSecurity's account, was published openly, which means more than one actor could be running the same tooling.
Phantom Gyp: code that runs where scanners do not look
The June 3 wave drew attention for how it executed, beyond what it stole. StepSecurity named the technique "Phantom Gyp."
Most defenses against poisoned packages watch npm's lifecycle scripts, the preinstall and postinstall hooks that a package can declare to run code when it is installed. The Red Hat wave used exactly that path. The Phantom Gyp wave did not.
Instead, StepSecurity reported, the attacker planted a 157-byte binding.gyp file. That file is a native build configuration: it normally tells npm how to compile a package's C or C++ components during installation. By abusing a command substitution feature of the build configuration format, the file caused code to run during npm install while appearing to be a routine build step, "bypassing most install script security checks entirely," in StepSecurity's words.
The detail that matters for defenders is where the execution hides: a scanner tuned to flag a suspicious preinstall script finds nothing, because the code runs inside a file that build tooling is expected to act on.
AI coding agents became a second trigger
What separates Miasma from earlier npm attacks is where else it can fire. According to The Next Web, the worm's 4.3 MB payload runner was wired to execute through five developer tools — Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script — and "a developer only needs to clone an affected repo and open it in an AI coding agent for the malware to run."
StepSecurity's analysis describes the mechanism: the worm injects configuration files into a compromised repository that the major AI coding tools read on open, including .claude/setup.mjs for Claude Code, .cursor/rules/setup.mdc for Cursor, .gemini/settings.json for Gemini, and .vscode/tasks.json for VS Code. Those files are meant to let a project define setup steps and agent instructions. Here they re-run the payload, which also makes them indicators defenders can audit for.
That shifts the entry point. An earlier generation of npm attacks needed a victim to install the poisoned package. In practice, with those agent backdoors in place, a developer who clones a repository and opens it in an AI assistant can set off the payload without a deliberate install, because the project setup the tool performs on open does it. GearBriefly has compared these terminal AI coding agents as productivity tools; this campaign treats the same configuration surface as a delivery channel.
What it collects and how it copies itself
The payload is a credential harvester. Across the Microsoft and StepSecurity reports, the targets include AWS access keys and instance metadata tokens, Azure and Google Cloud credentials, GitHub Actions secrets — including extraction from runner process memory — and tokens for npm, RubyGems, and CircleCI. StepSecurity also lists HashiCorp Vault, Kubernetes, SSH keys, and secrets stored in the 1Password, pass, and gopass password managers.
The spread is what makes it a worm. By StepSecurity's account, once the malware holds a maintainer's npm token, it enumerates that maintainer's packages, injects its code, and republishes new versions, signing them with forged provenance attestations so the tampered releases appear legitimate. The Next Web reported that the worm also commits itself into any repository the victim's stolen tokens can write to, which is the path that reached Azure/durabletask. StepSecurity documented a parallel RubyGems variant using Ruby's own native extension mechanism.
The worm also stages stolen data in the open. StepSecurity reported that it creates public GitHub repositories as drop points and commits the harvested secrets into them as encrypted JSON, and counted 236 such repositories under one account operated by the campaign. The "Miasma: The Spreading Blight" description on those repositories is the artifact Microsoft told defenders to search for.
What is being changed in response
Microsoft's report lists defensive measures aimed at the install step itself: pinning package versions rather than accepting ranges, running npm install with the --ignore-scripts flag, rotating any credentials that may have been exposed, and auditing GitHub accounts to verify none carry the "Miasma: The Spreading Blight" description. StepSecurity noted that Phantom Gyp evades tools that inspect a package's declared install scripts; the protection is therefore in not executing untrusted package code during installation rather than relying on a scanner to flag it.
The platform response targets the same class of attack. GitHub's supply chain security report describes "staged publishing," a model that holds a prebuilt package in a staging queue and requires approval from a maintainer, confirmed with multifactor authentication, before it goes live. It pairs that with trusted publishing through OIDC, so automated pipelines can stage a release without holding persistent tokens. Separately, npm CLI 11.15.0 added controls applied at install time — flags such as --allow-git that govern whether an install will accept git-based dependencies — with that flag's default expected to change from "all" to "none" in npm version 12, according to reporting by GBHackers.
Those measures target the publishing step. StepSecurity reported that Miasma already republishes with forged provenance attestations built to look legitimate, which leaves open how reliably a staged approval gate would flag a tampered version that resembles a routine bump.
What is confirmed, and what is not
Confirmed, across Microsoft, StepSecurity, and multiple outlets: 73 Microsoft repositories were disabled on June 5 across four GitHub organizations; the Red Hat and Phantom Gyp waves preceded it; the payload harvests cloud and developer credentials and republishes itself through stolen tokens; and the AI coding agent configuration files act as a second execution trigger.
Less settled is attribution and the exact route into Microsoft. Reporting has linked the broader activity to a threat group tracked as TeamPCP, and StepSecurity's finding that the worm's code was published openly means the same technique can be run by unrelated actors. The credential reuse theory for the Azure/durabletask commit is a researcher's reading of the timeline that Microsoft has not confirmed.
What remains to watch for is narrow and specific: whether npm's staged publishing model and the npm 12 --allow-git default ship as described, whether forged provenance attestations keep clearing those gates, and whether the next reuse of the openly published worm lands somewhere the automated sweep does not reach in time.
Source links
- The Next Web — Miasma worm hits 73 Microsoft GitHub repositories
- Microsoft Security Blog — Inside the Red Hat npm Miasma campaign (June 2, 2026)
- StepSecurity — Miasma npm supply chain attack: a worm via Phantom Gyp (June 3, 2026)
- The Hacker News — Miasma worm hits 73 Microsoft GitHub repositories
- OpenSourceMalware — The blight reaches Microsoft: 73 repos disabled in 105 seconds
- The GitHub Blog — Strengthening supply chain security: preparing for the next malware campaign
- GBHackers — GitHub strengthens npm security with staged publishing