Microsoft Pulls 70+ GitHub Repos as Miasma Worm Targets AI Coding Agents

When the trigger is no longer a human running a build but an AI agent opening a folder, the supply chain has a new, faster fuse.

REDMOND, WASHINGTON — Microsoft on June 8, 2026 took the unusual step of shutting down more than 70 of its own GitHub repositories after attackers pushed malware engineered to steal credentials from developers who rely on AI coding agents, including users of Claude and Gemini. The takedown was a response to suspected infections by the Miasma worm, a self-replicating supply-chain threat that had already laced Microsoft packages once in the preceding weeks.

Security researchers observed 73 packages running a credential-harvesting stealer as soon as they were opened by an AI agent — an early, concrete example of a supply-chain attack optimized for the AI-coding-agent threat surface. The incident follows a closely related Mini Shai-Hulud / Miasma variant that hit Red Hat's npm scope, and it marks the second time in weeks that official Microsoft packages have been found carrying credential-stealing code.

What Microsoft Removed and Why

The most visible part of the incident was the scale of Microsoft's own response. According to reporting from The Register, the company pulled more than 70 of its GitHub repositories after the suspected Miasma infections came to light — a sweeping, self-inflicted outage that Microsoft accepted rather than leave potentially poisoned code in front of developers.

The repositories were not obscure side projects. As TechCrunch reported, Microsoft's open-source tools for Azure and for AI coding were among those affected, meaning the takedown reached into code that downstream organizations actively pull into their own build and deployment pipelines. Removing more than 70 repositories at once is a blunt instrument, and one Microsoft would not reach for unless it judged the risk of leaving them live to be higher than the disruption of taking them down.

A key distinction runs through the reporting and is worth holding onto: the 70-plus figure refers to the repositories Microsoft pulled, while a separate count of 73 packages describes the artifacts observed running the self-replicating stealer. The two numbers describe different things — repositories taken offline versus packages caught executing malicious code — and conflating them overstates how neatly the incident maps to a single tally.

Microsoft's public characterization of the takedown, the full list of affected repositories, and whether those repositories had been restored as of publication were not confirmed in the initial reporting, and this account does not assert them.

How the Miasma Worm Targets AI Coding Agents

What sets this campaign apart is the trigger. According to Ars Technica, the 73 packages were observed running a self-replicating credential stealer as soon as they were opened by an AI agent — not when a human ran an install command or executed a build, but at the moment an AI coding assistant ingested the repository.

That detail reframes the threat. AI coding agents routinely open, read, and reason over whole repositories on a developer's behalf, which makes "a file the agent will read" a viable execution path. The pattern echoes earlier supply-chain work aimed squarely at assistants, including a Trapdoor campaign across npm, PyPI, and crates that sought to poison AI assistants. Miasma takes that idea and pairs it with self-replication: once it has run, the worm is built to spread further through the environments it lands in.

The payoff for the attacker is credentials. As 404 Media reported, the campaign targets the credentials of AI developers specifically, including users of Claude and Gemini — the secrets, tokens, and keys that sit in a working developer environment and unlock cloud accounts, package registries, and source control. In a self-replicating model, each set of harvested credentials is also a potential vector for the next hop.

Several mechanics remain unconfirmed and are not asserted here: the exact source of the initial poisoning, whether any harvested credentials were actually exfiltrated or used downstream, and whether Anthropic or Google received advance notice. The shape of the attack is clear from the reporting; its full downstream impact is not yet established.

The Second-Strike Problem — Why This Keeps Happening

This is not the first time in recent weeks that official Microsoft packages have been found laced with a credential stealer. Ars Technica frames the episode explicitly as the second such incident in that window, following an earlier round in which Mini Shai-Hulud-style typosquatted npm packages went after Microsoft cloud and CI/CD secrets. Two strikes in a matter of weeks against the same enormous publisher is a pattern, not a coincidence.

Part of the explanation is that Miasma is a moving target. The Register describes the worm as one that "shapeshifts" — its delivery has evolved across incidents rather than reusing a fixed signature, which makes any single detection rule a brittle defense. A threat that changes how it arrives, while keeping its goal constant, is precisely the kind that slips back through after a first round is cleaned up.

The other part is structural. A publisher the size of Microsoft maintains a vast surface of open-source repositories and packages, any one of which can become a delivery vehicle if an attacker gains a foothold. The reporting does not confirm whether the same actor is behind both incidents, and this account does not claim it. But the repetition underscores how hard it is for even the most resourced publisher to keep a sprawling open-source estate clean against a worm built to come back.

What This Means for AI-Coding-Agent Threat Models

The lasting significance of this incident is what it signals about where supply-chain attacks are heading. For years, the assumed trigger in a poisoned package was a human action: running an install, executing a post-install script, building a project. Miasma's observed behavior — running the moment an AI agent opens the package — moves the trigger to the assistant itself.

That changes the threat model in a practical way. Many developers have internalized a habit of caution around running untrusted code, but the same caution does not always extend to letting an AI agent read a repository, an action that feels passive and low-risk. If simply opening a poisoned repo in an assistant is enough to execute a stealer, then the act of pointing an AI coding agent at unfamiliar code becomes a security decision in its own right.

It also raises the stakes for the agents and the environments that host them. Credentials sitting in a developer's session — cloud keys, registry tokens, source-control access — are exactly what a self-replicating worm needs to spread, and an AI agent with broad repository access is a fast way to reach them. Whether tooling vendors respond by sandboxing what agents execute, scanning repositories before agents ingest them, or constraining the credentials available in an agent's context is one of the open questions the incident leaves behind.

Open Questions

Several threads were unresolved at publication and are worth watching rather than assuming. The exact source of the initial poisoning has not been established, nor has whether any of the targeted credentials were exfiltrated or used in follow-on intrusions. Microsoft has not published a full list of the affected repositories, and whether those repositories were restored as of publication was not confirmed.

The attribution picture is likewise open. It is not confirmed that the actor behind this campaign is the same one responsible for the earlier Microsoft-package incident, and whether Anthropic or Google received advance notice before the targeting of their users' credentials became public is unknown. The most consequential question may be the broadest: how the makers of AI coding agents adjust their products now that "open this repository" has been shown, in the wild, to be enough to set off a self-replicating credential stealer.

Sources