On 5 June 2026, GitHub disabled 73 Microsoft repositories in 105 seconds. They had been compromised by the Miasma worm -- a self-replicating credential harvester that had already eaten its way through npm, PyPI, and a clutch of Red Hat packages before landing in Azure/durabletask via a stolen contributor account.
The response was fast. The mechanism was primitive.
Here is what Miasma required of its victims: they opened a repository in their IDE.
Not npm install. Not pip install. Not executing a script, granting elevated permissions, or dismissing a security prompt. The dangerous act was the one developers perform a hundred times a week without a second thought. They opened a folder and looked at the code.
The attack worked by planting malicious configuration files inside hidden workspace directories -- .vscode/, .cursor/, and their equivalents for Claude Code and Gemini CLI. When the IDE opened the folder, the trap sprung. A malicious webview executed JavaScript, the Command Palette opened silently, and a background extension installed itself. No trust prompt. No warning. Just a clean lift of local OAuth tokens and a quiet enumeration of every private repository the developer had access to.
Then it moved on.
There is a generation of developers whose mental model of supply chain risk was formed by event-stream, or the node-ipc protest-ware, or the endless stream of typosquatted packages with names one character off a legitimate dependency. The lesson those incidents taught was clear: be careful what you execute.
That lesson is no longer sufficient.
The dangerous moment used to be the install phase -- the explicit invitation for foreign code to run on your machine. Everything upstream felt safe. Reading a README. Browsing source. Cloning a repo to see how someone solved a problem.
Miasma broke that model. The dangerous moment is now the moment of look.
This is not a new paradigm. It is an old monster in a fresh hoodie -- the 2026 incarnation of the Microsoft Word macro virus. The underlying principle is identical: find an environment the user assumes is a passive viewing gallery, and exploit the fact that it is actually a highly automated engine room. The betrayal is deepened by design: we wanted the automation. We traded isolation for seamless context, and Miasma simply cashed the cheque. Workspace configuration files look like inert JSON. They are not.
The compounding factor is the AI coding agent.
Claude Code, Cursor, Gemini CLI -- all three feature in StepSecurity's analysis as trigger environments for Miasma's payload. That is not a coincidence. These tools are explicitly designed to ingest entire workspace contexts, read local configurations, and act on them. That is their utility. It is also their attack surface.
An agentic tool with access to your credentials, your private repositories, and your cloud environments is a credential harvester's ideal target. The more capable the agent, the more devastating the compromise. Miasma did not need a zero-day in Claude Code or Cursor. It just needed to inherit their ambient authority.
Traditional IDEs exploit the developer's eyes; agents exploit the tool's automated hands. An agent does not merely look at .vscode/settings.json -- it reads, interprets, and inherits the permissions of the token state in order to help you. That helpfulness is the attack surface.
An agent that can read is an agent that can be read. An agent with write access and persistent tokens is an agent that hands over the keys the moment it glances at a hostile folder.
The discipline Miasma requires is uncomfortable because it cuts against the grain of modern development.
You cannot realistically sandbox every repository you inspect. The entire open-source ecosystem depends on a baseline of trust between contributor and consumer.
But that trust must now be conscious. Opening a repository is no longer a passive act -- it is a security decision. IDE configuration files deserve the same hostility we reserve for shell scripts. Agentic tools require tight credential scoping, not broader permissions. The "copilot not root" principle was already good practice; it is now a structural necessity.
The Word macro era only ended when Office started blocking execution by default, forcing users to explicitly declare trust. It took a decade of corporate infections before the tooling caught up with the threat.
The question now is how many developer machines get hollowed out before the modern IDE imposes the same friction.
If Miasma's 105-second sprint through Azure is any indication, we are going to find out the hard way.
The Sovereign Auditor covers supply chain security, digital sovereignty, and infrastructure policy—with particular focus on Isle of Man jurisdiction and Crown Dependency issues.
Payments via PayPal. Credentials delivered by email. No Substack. No Stripe. No middlemen.
