Miasma: Open a Poisoned Repo with Claude Code, Lose Your Passwords
Microsoft pulled more than 70 of its own open source GitHub repos offline this week after attackers injected credential-stealing malware into the code. The malware has a name, Miasma, and a nasty trick: it's self-replicating, built on the open-sourced Mini Shai-Hulud codebase from a group called TeamPCP. Many of the hit projects were Azure tools and exactly the kind of repos developers open while coding with AI agents.
Here's the part that makes this a 2026 story and not a 2016 one. The moment a developer opens an infected repository using an AI coding tool, Claude Code, Gemini CLI, VS Code's agent, their credentials get stolen instantly. The agent does the reading, the agent has the access, and the agent walks right into the trap on your behalf. The attack surface isn't the human clicking a bad link anymore. It's the autonomous tool you pointed at a folder.
This is Microsoft's second breach in weeks. In mid-May their Durable Task project got hit too. And it rhymes with the PyTorch Lightning Shai-Hulud worm from May. Self-replicating credential stealers aimed at the AI dev supply chain are becoming a genre, not an incident.
The uncomfortable lesson: every capability we celebrate in coding agents, they read everything, they have your tokens, they act without asking, is also the exploit. As agents get more autonomous and more trusted, just open the repo and let it work becomes the single most dangerous sentence in software. Worth reading the full writeup. Link: https://techcrunch.com/2026/06/08/microsofts-open-source-tools-were-hacked-to-steal-passwords-of-ai-developers/
← Back to all articles
Here's the part that makes this a 2026 story and not a 2016 one. The moment a developer opens an infected repository using an AI coding tool, Claude Code, Gemini CLI, VS Code's agent, their credentials get stolen instantly. The agent does the reading, the agent has the access, and the agent walks right into the trap on your behalf. The attack surface isn't the human clicking a bad link anymore. It's the autonomous tool you pointed at a folder.
This is Microsoft's second breach in weeks. In mid-May their Durable Task project got hit too. And it rhymes with the PyTorch Lightning Shai-Hulud worm from May. Self-replicating credential stealers aimed at the AI dev supply chain are becoming a genre, not an incident.
The uncomfortable lesson: every capability we celebrate in coding agents, they read everything, they have your tokens, they act without asking, is also the exploit. As agents get more autonomous and more trusted, just open the repo and let it work becomes the single most dangerous sentence in software. Worth reading the full writeup. Link: https://techcrunch.com/2026/06/08/microsofts-open-source-tools-were-hacked-to-steal-passwords-of-ai-developers/
Comments