SECURITY & PRIVACY

The Miasma Worm Used AI Coding Tools to Breach 73 Microsoft Repos. The Pattern Is Clear.

Sara Voss · Security & Privacy · June 10, 2026

On June 5, 2026, security researchers discovered something unprecedented: a self-replicating worm that used AI coding assistants themselves as the attack vector. The Miasma worm compromised 73 Microsoft GitHub repositories across four major organisations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — by planting malicious payloads that activated the moment a developer opened the repository in an AI coding tool.

The attack exploited compromised contributor credentials to push a malicious commit to the Azure/durabletask repository. From there, it spread automatically. When any developer opened the infected repo in Claude Code, Gemini CLI, Cursor, or VS Code, the worm harvested cloud credentials and developer tokens, then used them to push itself to additional repositories. By the time Microsoft’s security team contained the breach, the worm had reached 73 repos and disrupted CI/CD pipelines across the Azure ecosystem.

This isn’t just another supply chain attack. It’s a new category of threat — one that exploits the AI tools developers trust most — and it arrived alongside a cascade of other escalating cyber incidents that make this week one of the most consequential in cybersecurity this year. Here’s the breakdown of what happened, why it matters, and what you need to do about it.

01 — How the Miasma Worm Works — Step by Step

The Miasma attack followed a precise chain that should terrify anyone who manages developer infrastructure:

1. Credential compromise. An attacker obtained contributor credentials — likely through phishing, a previous breach, or a leaked token — granting write access to the Azure/durabletask repository.

2. Malicious commit. The attacker pushed a commit containing configuration files that, on the surface, appeared benign. No malicious code was directly executed. Instead, the files were designed to trigger when processed by an AI coding assistant’s context window.

3. AI-assisted propagation. When a developer opened the infected repository in Claude Code, Gemini CLI, Cursor, or VS Code, the AI tool ingested the malicious configuration as context. The worm harvested any credentials the tool had access to — cloud API keys, GitHub tokens, environment variables — then used those credentials to push itself to other repositories the developer had access to Rescana’s detailed analysis found.

4. CI/CD disruption. Once inside, the worm specifically targeted CI/CD pipelines, particularly those relying on Azure/functions-action, causing cascading build failures across the Azure ecosystem.

02 — Why AI Coding Tools Are the Perfect Trojan Horse

AI coding assistants operate with extraordinary trust. They have access to your file system, your environment variables, your Git credentials, and often your cloud provider tokens. When you ask Claude Code to ‘review this repo and suggest improvements,’ you’re implicitly granting it permission to read every file in the directory — including any malicious configuration files someone might have planted there.

The Miasma worm exploited this trust model perfectly. It didn’t need a zero-day vulnerability in Claude Code or Gemini CLI. It just needed a developer to open a compromised repository with their AI tool active. The AI would process the malicious config, the worm would harvest the credentials, and the cycle would repeat.

This attack vector is particularly dangerous because it’s fundamentally hard to patch. AI tools should be able to read your code — that’s their purpose. The defence has to come from repository hygiene, contributor access controls, and treating every third-party repository as potentially hostile until proven otherwise.

03 — The CISA Zero-Day: Qilin Ransomware Exploits Check Point VPN

As if the Miasma worm wasn’t enough, June 9 brought another urgent alert: CISA ordered all US federal civilian agencies to patch a critical Check Point VPN vulnerability by June 11 — a three-day deadline. The zero-day, tracked as CVE-2026-50751 with a 9.3 CVSS score, allows attackers to bypass authentication entirely on Check Point Remote Access VPN and Mobile Access deployments using the legacy IKEv1 protocol TechCrunch reported.

The Qilin ransomware group — the same gang that breached the NHS in 2024 — has been actively exploiting the flaw against ‘a few dozen targeted organisations globally,’ according to Check Point. The timing is brutal: organisations already scrambling to review their AI tooling for Miasma exposure now need to patch their VPN infrastructure simultaneously.

04 — Silent Ransom Group: When Hackers Show Up at Your Office

On June 5, Google’s Mandiant and the FBI jointly disclosed a threat that sounds like a spy thriller: the Silent Ransom Group has been sending fake IT workers in person to law firm offices, where they connect to employees’ computers and steal data directly via USB drives TechCrunch detailed. The campaign targeted ‘dozens’ of victims from January through May 2026.

Law firms are treasure troves: client contracts, Social Security numbers, financial records, tax documents. One affected firm, Fox Rothschild LLP, was sued on June 9 after the group allegedly took plaintiffs’ personal data. Another, Jones Day, was hit earlier by the same group.

Meanwhile, AI hacking tools are flooding ransomware marketplaces. Halcyon’s research found that AI utility posts on dark web forums grew from 38 in December 2025 to 1,486 by February 2026 — a 39x increase in two months. ‘WormGPT’ has become a brand name for multiple operators selling AI-generated phishing, credential stuffing, and exploit generation tools CSO Online reported.

05 — What You Need to Do Right Now

The threats are converging: AI supply chain worms, zero-day VPN exploits, in-person social engineering, and commoditised AI hacking tools. Here’s what matters, in order of urgency:

1. Never open an untrusted repository with an AI coding tool active. The Miasma worm teaches a brutal lesson: your AI assistant can become a weapon if it ingests malicious content. Review repository contents manually before opening them in Claude Code, Gemini CLI, Cursor, or VS Code. This is the single most important behavioural change developers need to make immediately.

2. Patch Check Point VPN now. If you use Check Point Remote Access VPN or Mobile Access with IKEv1 enabled, apply the patch immediately. CISA isn’t issuing three-day deadlines for minor risks. Qilin actively exploits this flaw. If you can’t patch today, disable IKEv1 and switch to IKEv2.

3. Lock down your repository permissions. Audit contributor access to every repository your organisation owns. Remove stale contributors. Require branch protection rules, mandatory code reviews, and signed commits. The Miasma worm spread through a single compromised contributor token — one weak link is all it takes.

4. Verify IT support before granting access. If someone shows up claiming to be IT support, verify their identity through a separate channel before letting them touch any device. Silent Ransom Group has demonstrated that physical access attacks work, and they’re scaling up.

5. Monitor your CI/CD pipelines for anomalies. Miasma specifically targeted CI/CD infrastructure. Set up alerts for unexpected build failures, unauthorised commits, or unusual worker behaviour. Assume your pipelines are a target — they are.

The pattern is clear: AI is supercharging attacks on every front — code, infrastructure, and physical access. The defenders’ advantage has never been thinner. The organisations that survive this year won’t be the ones with the best tools; they’ll be the ones that act fastest when the alarms go off.