TL;DR

Wave 5 of the Miasma/Shai-Hulud worm family hit 73 Microsoft GitHub repositories (across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs GitHub organizations) on 2026-06-05, plus 5 mantine-datatable repositories, via a compromised contributor's GitHub account. Unlike prior waves that spread through the npm registry, Wave 5 skips the registry entirely and plants a 4.3 MB payload runner directly into source repositories, wired to auto-execute via 5 developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test hook. Opening a poisoned repository in any of these tools triggers a full credential harvest — no npm install required.

What happened

On 2026-06-05, attackers leveraged a previously compromised contributor account (a credential stolen during the Phantom Gyp / binding.gyp wave 4 campaign from June 3–4) to push malicious commits to Microsoft's Azure/durabletask repository. GitHub subsequently disabled 73 repositories across four Microsoft GitHub organizations:

GitHub's automated detection disabled all 73 repositories within 105 seconds of the first suspicious commit — the fastest documented GitHub platform response to a supply-chain poisoning event. Despite the speed, the payload runner had already been cloned by an unknown number of developers before the lockdown. The targeting of Azure/durabletask specifically — a credential already exposed via Wave 4 (Phantom Gyp) — suggests the actor maintained a list of partially-rotated stolen tokens and systematically re-targeted accounts where credential rotation was incomplete.

  • Azure
  • Azure-Samples
  • Microsoft
  • MicrosoftDocs

Concurrently, the same actor pushed malicious commits to five repositories in the icflorescu namespace (author of mantine-datatable):

  • mantine-datatable
  • mantine-contextmenu
  • next-server-actions-parallel
  • mantine-datatable-v6
  • mantine-contextmenu-v6

Attack technique: "registry bypass" via GitHub source-repo poisoning

Miasma Wave 5 introduces a significant escalation over prior waves:

  • No npm registry involvement. Prior waves (Red Hat @redhat-cloud-services, Phantom Gyp/binding.gyp) published malicious npm packages. Wave 5 commits directly to the GitHub source repository — bypassing npm entirely and any registry-side protections (provenance checks, malware scanning).
  • Multi-tool auto-execution hooks. The malicious commit plants a 4.3 MB payload runner and wires it as an automatic execution hook for five developer tools: 1. Claude Code (.claude/ config / hooks) 2. Gemini CLI 3. Cursor (.cursor/ hooks) 4. VS Code (.vscode/tasks.json) 5. npm test script (package.json test hook)

Any developer who opens the compromised repository in any of these tools — without running npm install — will trigger the payload.

What the payload does

The payload is a lightly reskinned Miasma/Shai-Hulud descendant (Greek-mythology theming; same credential-targeting scope as prior waves):

  1. Credential harvesting: AWS/GCP/Azure IAM creds, Kubernetes configs (~/.kube/config), Docker credentials, GitHub tokens, npm tokens, SSH keys, RubyGems/PyPI publish tokens, password manager secrets, AI tool API keys.
  2. AI tool config targeting: specifically targets Claude Code settings, Cursor config, Gemini CLI config — the attacker-controlled repository files register themselves as trusted tool configurations.
  3. Self-propagation: uses stolen npm/GitHub tokens to publish poisoned versions of packages the victim maintains and to push to other repos the victim has write access to.
  4. GitHub Actions injection: plants .github/workflows/*.yml files for persistence — same base64 -d | bash pattern as Megalodon.

Vibe-coding-specific risk: AI-tool auto-execution

The most novel and dangerous capability of Wave 5 for vibe coders is the AI coding assistant trigger. When a developer with Claude Code, Cursor, or Gemini CLI opens a compromised repository:

  • The tool's session-start or project-open hook fires the payload runner
  • The developer never runs npm install — standard supply-chain hygiene (--ignore-scripts, lockfile integrity) is irrelevant
  • The attack requires only that the developer clone and open the repo

This is a direct extension of the technique first seen in TrapDoor (zero-width Unicode in .cursorrules/CLAUDE.md) and the binding.gyp wave's GitHub Actions injection, but now lands via a legitimate maintainer's own commit history (stolen GitHub account), making the commit appear trusted in git log.

Attribution / lineage

Wave 5 is confirmed Miasma-lineage (same payload, same Greek-mythology markers, same C2 patterns as Wave 3 — Red Hat and Wave 4 — Phantom Gyp). The credential chain is traceable: the compromised contributor account used for the Microsoft Azure commit was almost certainly a token stolen during Wave 4 or the earlier Megalodon / GlassWorm harvest.

Am I affected?

# Check if you have any of the compromised repos in your local clone list
git remote -v | grep -E "azure/durabletask|mantine-datatable|mantine-contextmenu|next-server-actions-parallel"

# Check for malicious .claude/ or .cursor/ config added since 2026-06-04
git log --since="2026-06-04" --all --oneline -- .claude/ .cursor/ .vscode/tasks.json package.json

# Check for the 4.3MB payload runner file (look for large unexpected JS files committed)
git log --since="2026-06-04" --all --diff-filter=A --name-only | grep -E "\.(js|mjs|cjs)$"

# Check for unexpected GitHub Actions workflows added
git log --since="2026-06-04" --all --oneline -- .github/workflows/

# Check AI tool config files for zero-width Unicode (TrapDoor technique)
grep -rP "[\x{200B}-\x{200D}\x{FEFF}\x{00AD}]" .claude/ .cursor/ .cursorrules CLAUDE.md 2>/dev/null

High risk if you: - Recently cloned or git pull'd from any Microsoft Azure, Azure-Samples, Microsoft, or MicrosoftDocs GitHub repo - Cloned or opened any mantine-datatable family repo after 2026-06-04 - Have an AI coding assistant (Claude Code, Cursor, Gemini CLI, VS Code) configured to auto-run hooks on project open - Maintain npm packages and had your GitHub token exposed in any prior Shai-Hulud/Miasma/Megalodon/GlassWorm wave

If you are affected

  1. Rotate all credentials reachable from the machine where you opened the compromised repo: GitHub tokens, npm tokens, cloud IAM keys, SSH keys, AI tool API keys.
  2. Audit .claude/, .cursor/, .vscode/tasks.json, CLAUDE.md, .cursorrules for unauthorized entries.
  3. Check GitHub Actions workflows for bot-authored single-file changes: git log --all --author="build-bot\|auto-ci\|pipeline-bot" --since="2026-06-01".
  4. Audit npm packages you maintain for unexpected versions published since 2026-06-04.
  5. See playbooks/if-you-installed-a-bad-npm-package.md — steps apply even without a postinstall hook, since the payload executes at project-open.

Prevention

  • Keep AI coding assistant hooks locked down. Never grant auto-execute permissions to session-start hooks for untrusted repositories. Review .claude/, .cursor/, .vscode/tasks.json, CLAUDE.md whenever you clone or pull from a new source.
  • Diff agent-config files on every git pullgit diff HEAD~1 .claude/ .cursor/ CLAUDE.md .cursorrules before opening the project in your AI tool.
  • Require signed commits on protected branches of your own repos. An unsigned commit from a contributor account on a security-sensitive file is a red flag.
  • Review workflow changes carefully. Any .github/workflows/*.yml change authored by a bot-named account or containing base64 -d | bash should be rejected immediately.
  • Pin GitHub Actions to commit SHA — see prevention/ci-cd-hardening.md.
  • Assume stolen credentials cascade. If your token appeared in any prior Miasma/GlassWorm/Megalodon wave, assume Wave 5 may already have used it.

2026-06-12 update — Microsoft repos restored

All 73 disabled Microsoft repositories have been restored following GitHub's investigation. As part of the probe, Microsoft notified a small number of customers who may have pulled content from the affected repositories during the brief compromise window. The investigation confirmed the attack was a Miasma-lineage variant (same payload family as Wave 4 Phantom Gyp); attribution to the same actor cluster is established. Status: contained. Developers who cloned or pulled from any of the affected repos between 2026-06-04 and 2026-06-05 should still rotate credentials.

Sources