Miasma Worm Targets AI Coding Tools — Here's What to Do

TL;DR

If you're using AI coding tools like Claude Code, Cursor, or Copilot to generate npm dependencies, there's a new threat you need to know about: self-replicating supply chain worms that explicitly target AI coding tool users. On June 24, 2026, the Miasma worm campaign poisoned 20+ Leo Platform npm packages in a sub-three-second burst — and its payload hunts for developer secrets by reading CI runner memory. It's the first documented case of supply chain malware designed to exploit the trust relationship between developers and their AI coding assistants.

What Happened

On June 24, 2026, attackers compromised the npm maintainer account "czirker" and used it to publish poisoned updates to more than 20 packages in the Leo Platform and RStreams ecosystems. The key detail: all malicious versions were published in a coordinated burst lasting less than three seconds — automated tooling, not manual effort.

Microsoft Threat Intelligence confirmed the attack in a public post. The Cloud Security Alliance (CSA) published a research note identifying two distinct worm strains: Miasma (also tracked as Shai-Hulud) and IronWorm. Both are self-replicating: once installed, the worm searches the victim's machine for additional npm tokens and GitHub credentials, then uses them to publish infected versions of other packages the victim maintains.

The worm hides its install hook inside binding.gyp — a file that build tools like node-gyp process automatically during package installation. This means the payload executes silently, without any visible script in package.json's postinstall hook, making it harder for static analysis tools to flag.

Why AI Coding Tools Are the Attack Surface

This is not a generic npm supply chain attack. The CSA research note explicitly states these worms are "explicitly targeting developer AI coding tool" users. Why? Three reasons:

1. AI-generated dependency chains are harder to audit. When Claude Code or Copilot suggests npm install some-package, the developer often accepts it without checking the package's maintainer history, recent commits, or download trends. The speed of AI-assisted development creates a trust gap.

2. AI coding tools hold high-value tokens. Claude Code, Cursor, and Copilot all require API keys, GitHub tokens, or session credentials with broad repository access. A worm that steals these credentials can pivot to compromising dozens or hundreds of repositories in minutes — exactly what Miasma does.

3. AI agents run in CI/CD environments. Many teams now use AI coding agents inside GitHub Actions, GitLab CI, or custom build pipelines. These environments hold masked secrets (AWS keys, database URLs, deployment tokens) in memory. Miasma specifically reads CI runner memory to extract these secrets, then exfiltrates them through the victim's own GitHub token — a technique that defeats standard egress blocklists.

The attack chain: an AI coding tool suggests a dependency → the developer installs it → the worm activates during build → it steals tokens from the environment → it uses those tokens to publish more infected packages → the cycle repeats.

How Miasma Beats Standard Defenses

binding.gyp hook: By embedding the payload in a native build configuration file rather than a JavaScript install script, the worm bypasses most npm audit and Socket.dev-style static analysis.

Exfiltration via victim's own GitHub token: Instead of phoning home to an attacker-controlled server (which would be caught by egress monitoring), Miasma creates a private gist or pushes to a hidden repo using the stolen GitHub token. Network monitoring sees legitimate GitHub API traffic — not a data breach.

CI memory scraping: The worm reads /proc/self/environ and CI-specific environment variable stores to extract masked secrets. In many CI platforms, secrets are masked in logs but remain in plaintext in memory.

Dependabot impersonation: The attacker pushed weaponized GitHub Actions workflows disguised as Dependabot pull requests to at least three repositories. Developers who merge "automated dependency updates" from a familiar bot are actually granting the attacker workflow execution permissions.

What Developers Should Do Now

Immediate Actions (Today)

1. Audit your Leo Platform dependencies. If your project uses any package from the @leoplatform or @rstreams namespace, check the version against known-compromised lists. Poisoned packages were published on June 24 between approximately 14:00-14:05 UTC.

2. Rotate tokens. If you've run npm install on any project that pulls Leo Platform packages since June 24, rotate your npm token, GitHub personal access token, and any CI/CD secrets that were accessible in the same environment.

3. Check your GitHub Actions workflows. Look for any unexpected Dependabot PRs merged since June 24, especially ones that modify workflow YAML files or add new secrets.

Process Changes (This Week)

1. Add a "pause and verify" step before installing AI-suggested dependencies. Before running npm install on a package suggested by an AI coding tool, manually check: (a) when the last version was published, (b) the maintainer's npm profile age and activity, (c) whether the package has recent suspicious version bumps.

2. Pin dependencies in AI-assisted projects. Use exact version pins ("1.2.3" not "^1.2.3") and commit lockfiles. Configure AI tools to output exact versions when suggesting dependency additions.

3. Enable branch protection on repositories used with AI coding tools. Require pull request reviews for any changes to package.json, package-lock.json, .github/workflows/, and binding.gyp files — even from Dependabot.

Architectural Changes (Long-Term)

1. Sandbox AI coding agents in CI. If you run AI coding tools in CI/CD, use ephemeral environments with read-only filesystem mounts and no access to production secrets.

2. Implement package allowlists for AI-assisted development. Maintain a curated list of trusted packages and versions. Configure your AI coding tool to only suggest packages from this list. Tools like Socket.dev and Snyk can help build and maintain such lists.

Bottom Line

The Miasma worm represents a category shift in supply chain attacks: malware designed specifically for the AI-assisted development workflow. It exploits the speed-trust tradeoff that every developer using AI coding tools implicitly accepts — that suggested dependencies are safe enough to install without manual review. As of June 26, the campaign is still active. The fix isn't to stop using AI coding tools; it's to add verification steps between "AI suggests a dependency" and "you install it."