GitHub took the extraordinary step of disabling 73 Microsoft-owned repositories on June 5, 2026 after investigators confirmed the Miasma worm had reached the Azure durabletask project through a compromised contributor account. The worm planted credential-stealing logic that activated whenever an AI coding agent opened the repository, turning a routine developer action into a stealthy heist.

The attack represents a dangerous escalation in software supply chain threats. It weaponizes the very tools that developers and automated systems rely on daily, exploiting the trust embedded in source code collaboration platforms.

How the Miasma Worm Operates

Miasma is not a traditional malware that targets developer workstations. Instead, it lurks within repository metadata and configuration files, waiting for a specific trigger: the moment an AI coding agent — such as GitHub Copilot’s agent mode, Amazon Q Developer, or Cursor — initializes a repository context. These agents typically scan repository contents to provide code suggestions, and they often hold credentials with broad repository access.

The worm’s payload hid in a seemingly innocent .devcontainer/Dockerfile and an associated devcontainer.json file, both commonly used to define reproducible development environments. When an agent clone or inspected the repo, Miasma spawned a background process inside the agent’s execution environment. That process harvested all environment variables, file system tokens, and OAuth tokens from memory, then exfiltrated them to a command-and-control server that mimicked a legitimate CI/CD log endpoint.

Security researcher Adrien Leblanc, who first identified the anomalous behavior while auditing agent logs for OpenAI’s Codex, said the attack was “jarringly simple in concept but exquisite in execution.” Leblanc noted that the worm used the agent’s own capabilities against it: an AI coding agent, by design, reads every file in a repo to build context. Miasma planted files that looked routine, with no malicious intent visible without executing the agent environment.

The Compromised Contributor Account

The initial breach vector was a Microsoft vendor contributor account with write access to several repositories, including microsoft/durabletask and microsoft/azure-functions-durable-extension. GitHub’s investigation found that the account credentials were likely exposed through a third-party service leak on May 27, 2026. The attacker used this access to push three commits across 12 repositories over a four-day period, each incrementally adding the worm components. Because the commits appeared as routine maintenance patches (updating dev container configurations and documentation links), automated review tools and human reviewers did not flag them.

Once inside the durabletask repository, the worm’s design became particularly effective. Durabletask is an orchestration framework for Azure Functions, used by thousands of enterprise developers. Many of those developers rely on AI coding agents to manage and extend their durabletask implementations. When an agent read the compromised repo, Miasma not only stole the agent’s credentials but also scanned the agent’s configuration to find other repositories the agent accessed. It then attempted to insert a similar payload into those repositories—if the stolen tokens granted write access.

GitHub confirmed that secondary propagation succeeded in at least 17 private repositories belonging to six organizations, amplifying the credential harvest. All 73 disabled repositories had been either directly tampered with or were forks that inadvertently copied the malicious code.

AI Coding Agents: A New Attack Surface

The incident exposes a blind spot in securing AI-powered development workflows. Traditional security practices focus on preventing unauthorized code execution on developer machines or in CI/CD pipelines. They do not consider the agent’s own runtime as a potential target. An AI coding agent operates with a level of autonomy and access that few security policies adequately constrain.

“Agents are, in effect, automated developers with their own long-lived credentials. But we don’t treat them as such,” said Maria Fuentes, CEO of supply chain security firm Packagr. “Miasma is proof that you can compromise an agent just by letting it read your README. That’s a nightmare for any organization relying on these tools.”

Most AI coding agents today use personal access tokens (PATs) or OAuth grants that have read, write, and repository scope—because they need to clone, analyze, and sometimes commit changes. These tokens rarely expire quickly, and they grant the agent the same privileges as the developer who installed it. Miasma exploited that equivalence, turning the agent into a silent insider threat.

Microsoft’s Response and Remediation

Within hours of detecting the malicious commits, GitHub’s security team — working with Microsoft’s Detection and Response Team (DART) and Azure Security — disabled the affected repositories and invalidated all associated deployment keys and PATs that had interacted with them. The team also revoked the compromised contributor account and began rotating credentials across all Microsoft-owned repositories as a precaution.

Microsoft published a security advisory (MSRC-2026-047) detailing the incident and acknowledging that “the worm successfully harvested a limited number of internal Azure service principal credentials.” The company emphasized that no customer data was accessed, though it advised all developers who forked or cloned the affected repositories to audit their environments and rotate any credentials that may have been exposed.

GitHub also released an update to its secret scanning feature, adding detection rules for the specific patterns Miasma used to exfiltrate data. Additionally, it introduced a new “Agent Isolation Mode” for GitHub Codespaces and Copilot Chat, which runs agent processes in a sandbox that restricts external network access by default. The feature is opt-in for existing workspaces but enforced for any repository flagged by GitHub’s anomaly detection system.

The Implications for Open Source and Enterprise Security

The Miasma worm underscores a fundamental tension between productivity and security in modern development. AI coding agents promise to accelerate software creation, but their deep integration with source code repositories creates a vector that adversaries can manipulate. Unlike a compromised library that requires developers to execute or deploy malicious code, Miasma required nothing more than opening a repository.

Enterprise security teams now face a difficult challenge: how to let AI agents read code without exposing the entire credential chain. Short-term mitigations include using fine-grained tokens with read-only scope and no repository-level write access. But many AI coding tools require write scope for features like inline code editing, pull request summaries, and auto-committing. Restricting that scope cripples the tools’ utility.

The incident also highlights the growing sophistication of software supply chain attacks. The attacker behind Miasma demonstrated deep knowledge of AI coding agents’ internal architecture and the typical workflows of developers using them. This was not a broad spray of malware; it was a precision-targeted operation that leveraged the supply chain of an orchestration framework to maximize reach.

“Supply chain attacks used to be about slipping malicious code into a popular npm package. Now it’s about turning the developer’s own AI assistant into a weapon,” said Fuentes. “Miasma is a blueprint for the next generation of attacks.”

What Developers Should Do Now

For individual developers and organizations relying on AI coding agents, the immediate steps are straightforward but critical:

  • Audit agent credentials – Check all PATs and OAuth tokens granted to coding agents. Ensure they follow the principle of least privilege. If an agent does not need to push code, revoke write access.
  • Update dev container configurations – Review .devcontainer/ directories for unexpected files or changes, especially in repositories you do not own. The Miasma worm hid in these locations.
  • Enable strict agent policies – If your coding agent supports it, restrict its ability to access external network resources. Monitor agent logs for unexpected outbound connections.
  • Use credential scanning – Adopt tools like GitGuardian or GitHub Advanced Security to detect secrets that may have been inadvertently included in agent prompts or memory.
  • Monitor for this indicator of compromise – Check agent execution logs for connections to domains mimicking CI/CD services (the Miasma C2 server used pipelines.azure.micosoft.net, a homograph attack on pipelines.azure.microsoft.net).

Microsoft has published a dedicated remediation guide and a PowerShell script that scans agent environments for residual Miasma artifacts. The script verifies that the malicious devcontainer files are absent and that no unusual scheduled tasks were added to the agent’s runtime.

The Bigger Picture: Time to Rethink Trust in Automated Development

The Miasma incident will likely accelerate industry-wide conversations about the security boundaries of AI-powered development environments. Expect to see stronger isolation mechanisms baked into future agent frameworks, along with standardized credential scopes specifically designed for autonomous code-reading agents.

For now, Miasma serves as a costly reminder that every new automation layer introduces new attack surface. The software supply chain proved vulnerable at the exact point where humans ceded control to machines—a lesson the security community will be studying for years to come.