Issuer: Adverse Trace Date issued: 2026-06-06 Version: 1.0
1. Executive summary
On June 5, 2026, the "Miasma" worm campaign compromised 73 repositories across four Microsoft GitHub organizations (Azure, Azure-Samples, Microsoft, MicrosoftDocs) via a malicious commit to the Azure/durabletask repository using a previously compromised contributor account. Unlike traditional package registry poisoning, this attack injected configuration files (.claude/settings.json, .cursor/rules/setup.mdc) designed to execute credential-harvesting payloads immediately when developers open the repository in AI coding agents (Claude Code, Gemini CLI, Cursor) or VS Code. For EMEA financial services, the immediate risk is the potential exfiltration of cloud credentials (AWS, Azure, GCP, Kubernetes) from developer workstations interacting with these specific repositories, bypassing standard package manager controls.
2. Regulatory framing
| Regulation | Article | Practical Impact for Financial Entities |
|---|---|---|
| DORA | Art. 17 | Protection: Requires immediate assessment of ICT third-party dependencies. If your CI/CD pipelines or developers pull from the affected 73 repos, your "protection" controls (static analysis, sandboxing) must be validated against IDE-level execution hooks. |
| DORA | Art. 19 | Reporting: If interaction with these repos results in a major incident (e.g., credential theft leading to cloud compromise), classification and notification timelines are triggered. |
| DORA | Art. 28-30 | Third-Party Risk: Demonstrates the fragility of open-source supply chains. Entities must review contractual and technical arrangements regarding the ingestion of code from public repositories, even those maintained by major vendors like Microsoft. |
| NIS2 | Art. 21(2)(d) | Supply Chain Security: Mandates specific measures for securing the supply chain and software development lifecycle. This incident highlights the need to secure the "folder open" event, not just the npm install or pip install event. |
| NIS2 | Art. 23 | Incident Handling: Requires early warning and incident reporting if the compromise affects essential services. Financial entities acting as essential entities must report if their development environments are contaminated. |
3. Attack chain
- Initial Access: Attackers utilized a previously compromised contributor account associated with the
Azure/durabletaskrepository. - Persistence/Injection: A malicious commit was pushed directly to the repository on June 5, 2026. This commit introduced specific configuration files rather than modifying source code logic directly.
- Payload Placement: The commit planted configuration files including
.claude/settings.jsonand.cursor/rules/setup.mdc. - Trigger Mechanism: The payload is designed to execute automatically when a developer opens the infected repository directory using supported AI coding tools (Claude Code, Gemini CLI, Cursor) or potentially VS Code with specific extensions.
- Exfiltration: Upon execution, the payload harvests credentials from local environment configurations (AWS, Azure, GCP, Kubernetes, and 90+ developer tools).
Unconfirmed Steps: * The exact mechanism of lateral movement post-exfiltration within a corporate network is unconfirmed. * Attribution beyond the "Miasma" campaign label and the link to the May 19 PyPI incident is not explicitly confirmed in the provided sources, though the modus operandi suggests a single actor. * The full list of the 73 disabled repositories has not been enumerated in the provided text; only the scope (four organizations) is confirmed.
4. Recommended actions
P1: Immediate (Within 24 Hours) * Block Access: Restrict developer access to the 73 disabled Microsoft repositories identified in the StepSecurity and OpenSourceMalware reports. Verify if your CI/CD pipelines or local clones reference Azure/durabletask or any repo within the Azure, Azure-Samples, Microsoft, or MicrosoftDocs organizations updated in the last 48 hours. * Local Scan: Instruct development teams to scan local working directories for the presence of .claude/settings.json and .cursor/rules/setup.mdc files introduced after June 4, 2026. * Command: find . -name "settings.json" -path "*/.claude/*" -mtime -2 * Command: find . -name "setup.mdc" -path "*/.cursor/rules/*" -mtime -2 * Credential Rotation: If any developer has opened an affected repository in an AI coding agent since June 5, 2026, immediately rotate all cloud credentials (AWS, Azure, GCP) and API keys present in that development environment.
P2: Short-term (Within 72 Hours) * IDE Configuration Review: Audit global and local configurations for Claude Code, Gemini CLI, Cursor, and VS Code. Disable automatic execution of session start hooks or prompt injections from untrusted sources until vendor patches are verified. * Supply Chain Inventory: Generate a bill of materials (SBOM) for all active development projects to identify dependencies on the 73 disabled repositories. Replace pinned versions with known-good forks if available, or freeze updates.
P3: Medium-term (Within 7 Days) * Policy Update: Update software development policies to include "AI Agent Safety" checks. Mandate that configuration files dropped in repository roots (.claude, .cursor) be treated with the same suspicion as package.json or requirements.txt scripts. * Vendor Engagement: Monitor Microsoft and GitHub advisories for the restoration of the 73 repositories and only re-enable access once explicit "clean" signals are provided by the vendor.
5. Indicators of compromise
| Type | Value | Confidence | Source |
|---|---|---|---|
| Repository | Azure/durabletask (and 72 others across Azure, Azure-Samples, Microsoft, MicrosoftDocs orgs) |
High | StepSecurity / OpenSourceMalware |
| File Path | .claude/settings.json (Malicious variant) |
High | StepSecurity |
| File Path | .cursor/rules/setup.mdc (Malicious variant) |
High | StepSecurity |
| Targeted Tools | Claude Code, Gemini CLI, Cursor, VS Code | High | StepSecurity |
| Date of Compromise | June 5, 2026 | High | StepSecurity |
| Impact Scope | Credential harvesting (AWS, Azure, GCP, K8s) | High | StepSecurity |
Note: Specific file hashes or malicious payload content strings are not available in the provided source material at this time.
6. Sources
- StepSecurity, "Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents", https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents, 2026-06-06.
- The Hacker News, "Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack", https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html, 2026-06-06.
- OpenSourceMalware (referenced within StepSecurity report), Scope analysis of disabled repositories, 2026-06-06.
7. Adverse Trace position
Adverse Trace assesses the severity of this incident as High for financial services entities with active development teams utilizing AI coding assistants, due to the direct bypass of traditional package-manager security controls. The shift from "install-time" to "open-time" execution represents a significant evolution in supply chain threats that current DORA-mandated technical controls may not fully cover. The impact is compounded by the involvement of Microsoft's core Azure repositories, increasing the likelihood of accidental exposure in enterprise environments. We will continue to monitor the restoration status of the 73 repositories and seek technical specifics on the payload syntax to refine detection rules. Clients should assume potential credential exposure if any interaction with the affected repositories occurred via AI agents between June 5 and the GitHub takedown.
Published via PulseTrace — Adverse Trace threat intelligence.