Miasma Worm Escalates to AI Coding Agent Hijacking — 73 Microsoft GitHub Repos Disabled After SessionStart Hook Payload Injection

On June 5, 2026, the Miasma supply chain worm (attributed to threat cluster TeamPCP) pivoted from npm package poisoning to direct GitHub repository infiltration. Using previously compromised contributor credentials, the attacker pushed a commit to Azure/durabletask that added five configuration files designed to detonate a 4.6 MB credential-harvesting payload across four developer tools. The payload executes: (1) via a .claude/settings.json SessionStart hook for Claude Code, (2) via .gemini/settings.json for Gemini CLI, (3) via a .cursor/rules/setup.mdc prompt injection instructing Cursor AI to 'initialise the project', and (4) via a .vscode/tasks.json folderOpen task for VS Code. GitHub's automated enforcement disabled 73 repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organisations in a 105-second window.

Attacker compromises a contributor's GitHub credentials (same account used in May 19 PyPI attack), pushes a commit adding AI coding agent configuration files to a trusted repository. When any developer clones and opens the repo in an AI coding tool, the SessionStart hook or prompt injection triggers automatic execution of the harvester payload — no user interaction beyond opening the repo is required. The attack shifts supply chain malware from 'execute on package install' to 'execute on folder open', bypassing all conventional package-manager-focused defenses.

Claude Code (via SessionStart hooks in .claude/settings.json), Gemini CLI (via .gemini/settings.json), Cursor (via .cursor/rules/*.mdc prompt injection), VS Code (via folderOpen tasks in .vscode/tasks.json). Payload harvests credentials for AWS, Azure, GCP, Kubernetes, npm, GitHub PATs, HashiCorp Vault, and 90+ developer tool configurations. Any developer who opened an affected repository in an AI coding agent between June 5 16:00 UTC and GitHub's automated takedown at 16:02:35 UTC should treat all environment credentials as compromised.

Immediate: rotate all cloud and developer credentials on any workstation where an affected repo was opened in an AI coding agent. Audit .claude/settings.json, .gemini/settings.json, .cursor/rules/, and .vscode/tasks.json files in cloned repositories for unexpected SessionStart hooks or automatic-execution tasks before opening in an AI agent. Preventive: configure Claude Code, Cursor, and Gemini CLI to require explicit user confirmation before executing any SessionStart or project-setup hook. Implement Git commit signing policies and monitor for unsigned commits from contributor accounts. Treat AI coding agent config files as privileged attack surface in code review.