Miasma Wave 5 — 73 Microsoft Azure GitHub repos + mantine-datatable compromised; payload auto-fires via Claude Code / Cursor / Gemini CLI (June 2026)
TL;DR
Wave 5 of the Miasma/Shai-Hulud worm family hit 73 Microsoft GitHub repositories (across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs GitHub organizations) on 2026-06-05, plus 5 mantine-datatable repositories, via a compromised contributor's GitHub account. Unlike prior waves that spread through the npm registry, Wave 5 skips the registry entirely and plants a 4.3 MB payload runner directly into source repositories, wired to auto-execute via 5 developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test hook. Opening a poisoned repository in any of these tools triggers a full credential harvest — no npm install required.
What happened
On 2026-06-05, attackers leveraged a previously compromised contributor account (a credential stolen during the Phantom Gyp / binding.gyp wave 4 campaign from June 3–4) to push malicious commits to Microsoft's Azure/durabletask repository. GitHub subsequently disabled 73 repositories across four Microsoft GitHub organizations:
GitHub's automated detection disabled all 73 repositories within 105 seconds of the first suspicious commit — the fastest documented GitHub platform response to a supply-chain poisoning event. Despite the speed, the payload runner had already been cloned by an unknown number of developers before the lockdown. The targeting of
Azure/durabletaskspecifically — a credential already exposed via Wave 4 (Phantom Gyp) — suggests the actor maintained a list of partially-rotated stolen tokens and systematically re-targeted accounts where credential rotation was incomplete.
AzureAzure-SamplesMicrosoftMicrosoftDocs
Concurrently, the same actor pushed malicious commits to five repositories in the icflorescu namespace (author of mantine-datatable):
mantine-datatablemantine-contextmenunext-server-actions-parallelmantine-datatable-v6mantine-contextmenu-v6
Attack technique: "registry bypass" via GitHub source-repo poisoning
Miasma Wave 5 introduces a significant escalation over prior waves:
- No npm registry involvement. Prior waves (Red Hat @redhat-cloud-services, Phantom Gyp/binding.gyp) published malicious npm packages. Wave 5 commits directly to the GitHub source repository — bypassing npm entirely and any registry-side protections (provenance checks, malware scanning).
- Multi-tool auto-execution hooks. The malicious commit plants a 4.3 MB payload runner and wires it as an automatic execution hook for five developer tools:
1. Claude Code (
.claude/config / hooks) 2. Gemini CLI 3. Cursor (.cursor/hooks) 4. VS Code (.vscode/tasks.json) 5. npm test script (package.jsontest hook)
Any developer who opens the compromised repository in any of these tools — without running npm install — will trigger the payload.
What the payload does
The payload is a lightly reskinned Miasma/Shai-Hulud descendant (Greek-mythology theming; same credential-targeting scope as prior waves):
- Credential harvesting: AWS/GCP/Azure IAM creds, Kubernetes configs (
~/.kube/config), Docker credentials, GitHub tokens, npm tokens, SSH keys, RubyGems/PyPI publish tokens, password manager secrets, AI tool API keys. - AI tool config targeting: specifically targets Claude Code settings, Cursor config, Gemini CLI config — the attacker-controlled repository files register themselves as trusted tool configurations.
- Self-propagation: uses stolen npm/GitHub tokens to publish poisoned versions of packages the victim maintains and to push to other repos the victim has write access to.
- GitHub Actions injection: plants
.github/workflows/*.ymlfiles for persistence — samebase64 -d | bashpattern as Megalodon.
Vibe-coding-specific risk: AI-tool auto-execution
The most novel and dangerous capability of Wave 5 for vibe coders is the AI coding assistant trigger. When a developer with Claude Code, Cursor, or Gemini CLI opens a compromised repository:
- The tool's session-start or project-open hook fires the payload runner
- The developer never runs
npm install— standard supply-chain hygiene (--ignore-scripts, lockfile integrity) is irrelevant - The attack requires only that the developer clone and open the repo
This is a direct extension of the technique first seen in TrapDoor (zero-width Unicode in .cursorrules/CLAUDE.md) and the binding.gyp wave's GitHub Actions injection, but now lands via a legitimate maintainer's own commit history (stolen GitHub account), making the commit appear trusted in git log.
Attribution / lineage
Wave 5 is confirmed Miasma-lineage (same payload, same Greek-mythology markers, same C2 patterns as Wave 3 — Red Hat and Wave 4 — Phantom Gyp). The credential chain is traceable: the compromised contributor account used for the Microsoft Azure commit was almost certainly a token stolen during Wave 4 or the earlier Megalodon / GlassWorm harvest.
Am I affected?
# Check if you have any of the compromised repos in your local clone list
git remote -v | grep -E "azure/durabletask|mantine-datatable|mantine-contextmenu|next-server-actions-parallel"
# Check for malicious .claude/ or .cursor/ config added since 2026-06-04
git log --since="2026-06-04" --all --oneline -- .claude/ .cursor/ .vscode/tasks.json package.json
# Check for the 4.3MB payload runner file (look for large unexpected JS files committed)
git log --since="2026-06-04" --all --diff-filter=A --name-only | grep -E "\.(js|mjs|cjs)$"
# Check for unexpected GitHub Actions workflows added
git log --since="2026-06-04" --all --oneline -- .github/workflows/
# Check AI tool config files for zero-width Unicode (TrapDoor technique)
grep -rP "[\x{200B}-\x{200D}\x{FEFF}\x{00AD}]" .claude/ .cursor/ .cursorrules CLAUDE.md 2>/dev/null
High risk if you:
- Recently cloned or git pull'd from any Microsoft Azure, Azure-Samples, Microsoft, or MicrosoftDocs GitHub repo
- Cloned or opened any mantine-datatable family repo after 2026-06-04
- Have an AI coding assistant (Claude Code, Cursor, Gemini CLI, VS Code) configured to auto-run hooks on project open
- Maintain npm packages and had your GitHub token exposed in any prior Shai-Hulud/Miasma/Megalodon/GlassWorm wave
If you are affected
- Rotate all credentials reachable from the machine where you opened the compromised repo: GitHub tokens, npm tokens, cloud IAM keys, SSH keys, AI tool API keys.
- Audit
.claude/,.cursor/,.vscode/tasks.json,CLAUDE.md,.cursorrulesfor unauthorized entries. - Check GitHub Actions workflows for bot-authored single-file changes:
git log --all --author="build-bot\|auto-ci\|pipeline-bot" --since="2026-06-01". - Audit npm packages you maintain for unexpected versions published since 2026-06-04.
- See playbooks/if-you-installed-a-bad-npm-package.md — steps apply even without a postinstall hook, since the payload executes at project-open.
Prevention
- Keep AI coding assistant hooks locked down. Never grant auto-execute permissions to session-start hooks for untrusted repositories. Review
.claude/,.cursor/,.vscode/tasks.json,CLAUDE.mdwhenever you clone or pull from a new source. - Diff agent-config files on every
git pull—git diff HEAD~1 .claude/ .cursor/ CLAUDE.md .cursorrulesbefore opening the project in your AI tool. - Require signed commits on protected branches of your own repos. An unsigned commit from a contributor account on a security-sensitive file is a red flag.
- Review workflow changes carefully. Any
.github/workflows/*.ymlchange authored by a bot-named account or containingbase64 -d | bashshould be rejected immediately. - Pin GitHub Actions to commit SHA — see prevention/ci-cd-hardening.md.
- Assume stolen credentials cascade. If your token appeared in any prior Miasma/GlassWorm/Megalodon wave, assume Wave 5 may already have used it.
2026-06-12 update — Microsoft repos restored
All 73 disabled Microsoft repositories have been restored following GitHub's investigation. As part of the probe, Microsoft notified a small number of customers who may have pulled content from the affected repositories during the brief compromise window. The investigation confirmed the attack was a Miasma-lineage variant (same payload family as Wave 4 Phantom Gyp); attribution to the same actor cluster is established. Status: contained. Developers who cloned or pulled from any of the affected repos between 2026-06-04 and 2026-06-05 should still rotate credentials.
- The Hacker News — "Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues" — restoration timeline, customer notification detail.
- TechCrunch — "Microsoft's open source tools were hacked to steal passwords of AI developers" — broader context: Azure and AI-dev tools specifically targeted; attacker intent was credentials for Claude Code / Gemini CLI users.
Sources
- The Hacker News — "Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack" — primary disclosure; 73-repo count, 4-org breakdown, AI-tool trigger detail.
- The Hacker News — "IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks" — registry-bypass technique, mantine-datatable repos.
- StepSecurity — "Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp" — payload runner mechanics, 5-tool auto-exec hooks, IOC list.
- Snyk — "Node-gyp Supply Chain Compromise" — Wave 4/5 scope, Miasma lineage, affected package tracking.
- Snyk Vulnerability DB — Embedded Malicious Code in weavedb-sdk (SNYK-JS-WEAVEDBSDK-17146541) — specific malicious version IOC.
- Cross-reference: 2026-06-phantom-gyp-miasma-wave4.md — Wave 4 (binding.gyp) from which the compromised contributor credentials originated.
- Cross-reference: 2026-06-miasma-redhat-cloud-services-compromise.md — Wave 3 (Red Hat @redhat-cloud-services).
- Cross-reference: 2026-05-megalodon-github-actions-mass-campaign.md — Megalodon GitHub Actions injection; same
.github/workflows/*.ymlbase64-bash payload shape. - Cross-reference: 2025-10-glassworm-vscode-worm.md — GlassWorm credential harvest that almost certainly fed the contributor-token pool exploited here.
- The Register — "GitHub pulls plug on 73 Microsoft repos in 105 seconds after supply-chain attack detected" (2026-06-08) — 105-second automated response detail; partial-rotation re-targeting analysis.