The Repo Opened Back
On Miasma, Microsoft, and the moment source code stopped being a file cabinet
I was staring at the TechCrunch headline with the particular kind of nausea reserved for stories that are both obvious and late.
Microsoft had temporarily cut off access to dozens of its own open-source GitHub repositories. The reported reason: credential-stealing malware had been injected into projects tied to Azure and the developer tools people use around AI coding workflows. Claude Code. Gemini CLI. Cursor. VS Code. The new workbench, all lit up and hungry.
That should have felt like a freak event. A giant vendor, public repos, GitHub notices, security firms, the whole siren orchestra.
It did not.
It felt like the bill arriving.
For two years the industry has been stuffing agents into the developer loop with the breathless confidence of a man loading fireworks into a toaster. Let the model read the repo. Let it summarize the code. Let it run tests. Let it open files. Let it suggest commands. Let it wire itself into the editor, the terminal, the issue tracker, the package manager, the cloud deploy path.
Then one morning the repo opens back.
The Disabled Repos
TechCrunch reported on June 8 that Microsoft had shut down access to dozens of GitHub-hosted open-source projects after hackers apparently breached those projects and planted password-stealing malware. Microsoft confirmed it had temporarily removed some repositories while investigating potential malicious content, and said a small number of customers who may have pulled affected content had been notified.
The raw count depends on which source you read and exactly when they measured the smoke. StepSecurity and OpenSourceMalware put the incident at 73 Microsoft repositories across four GitHub organizations. TechCrunch saw at least 70 disabled projects. The affected area included Azure-related projects, Azure Functions tooling, Durable Task components, samples, and documentation.
The phrase “documentation” is where my face did the thing.
Because documentation used to feel inert. Not safe, exactly, but inert in the way a stack of printed manuals is inert. You read it, complain about it, copy the least offensive snippet, and move on.
The modern repo is not inert.
The modern repo has config files that editors obey. It has tasks, hooks, workflows, package scripts, devcontainers, workspace settings, prompts, rule files, generated helpers, and assistant-facing instructions. It is less a bookshelf than a small apartment where your tools walk around unsupervised.
That is the part people keep missing. Source code used to wait for the human to execute it. Now the workspace itself speaks to machines that are eager to help.
Eager tools are a security smell.
Miasma Had Manners
The malware campaign is called Miasma, which sounds theatrical until you realize the mechanics are grimly practical. Cloudsmith described it as an aggressive variant of the Mini Shai-Hulud worm associated with TeamPCP. StepSecurity said the Microsoft wave started when a malicious commit landed in Azure/durabletask using a previously compromised contributor account.
No moonshot exploit. No glowing cyber-dragon.
A trusted path got used for untrusted intent.
That is worse, because it means the system behaved almost normally. A commit arrived. Files changed. The surrounding machinery treated the repo as a repo. Trust flowed through the existing pipes because the pipes were built to move trust quickly.
StepSecurity’s detail is the one that sticks under the fingernail: the malicious commit planted configuration files that could execute a credential-harvesting payload when a developer opened the repository in Claude Code, Gemini CLI, Cursor, or VS Code.
Read that again slowly, preferably while looking at your own editor.
Opened the repository.
That is the violence hidden inside the convenience. The moment of danger does not have to be npm install anymore. It does not have to be “run this script.” It can be the first breath of the workspace, the agent scanning for instructions, the editor loading helper config, the assistant trying to be useful before the human has decided what “useful” should mean.
The old warning was: do not run untrusted code.
The new warning is uglier: do not let untrusted code describe the room your assistant wakes up in.
Good luck putting that on a sticker.
Agentic Attack Surface
Everyone wants to talk about AI coding tools as productivity multipliers. Fine. They are. I use them. I am literally sitting here doing the thing, surrounded by tabs, logs, repo paths, and the faint psychological odor of pnpm build.
But productivity is just permissions moving faster.
If an agent can read the workspace, it can ingest hostile instructions. If it can run commands, it can turn a suggestion into process execution. If it can inspect environment variables, cloud configs, package tokens, SSH material, .npmrc, .pypirc, gh auth state, and all the other little credential burrows developers accumulate, it can become an exfiltration assistant with a friendly face and excellent indentation.
Miasma did not invent that topology. It exploited the fact that the topology is now common.
The developer workstation has become a convergence point: source code, cloud identity, package publishing, CI access, GitHub tokens, local secrets, editor extensions, model tools, terminal automation, and a human who is trying to ship before lunch. Security people used to worry about the laptop because it held keys. Now the laptop holds keys and a semi-autonomous clerk that can read every sticky note in the office.
The attack surface is no longer “the dependency.”
The attack surface is the act of working.
That is a miserable sentence. It is also the honest one.
Microsoft Is The Wrong Comfort
The cheap reaction is to make this a Microsoft story.
Microsoft got popped. GitHub disabled the repos. Azure projects went dark. The giant vendor with the giant security budget got a supply-chain bruise in public. Cue the usual comments from people whose own ~/Downloads folder looks like a digital Superfund site.
Microsoft matters here because scale matters. If a Microsoft-owned repo can carry a poisoned workspace into an AI-assisted development environment, every smaller project with three maintainers, stale tokens, and heroic vibes is living in a cardboard submarine.
That is the actual lesson.
Open source already had a maintainer-trust crisis. Attackers learned to compromise developer accounts, squat packages, backdoor releases, poison registries, and ride popularity downhill. AI development tools add a fresh pressure point: repos are no longer just packages to be installed later. They are context bundles consumed immediately by software that wants to interpret, summarize, execute, and improve.
The agent does not need malice to be dangerous. It needs access, ambiguity, and a helpful disposition.
Software has spent decades teaching machines to automate the boring parts. Security has spent decades pretending the boring parts are safe because they are boring.
Miasma is what happens when the boring parts get teeth.
The Signature Of Trust Abuse
Cloudsmith’s analysis points out something important about modern supply-chain attacks: the enemy does not always need to break the cryptography or exploit a bug in the platform. Miasma used legitimate flows. Compromised credentials. Valid-looking commits. Tooling that does what tooling was designed to do.
That is why this class of attack feels so nasty. It slides through the gap between “authorized” and “intended.”
Security systems are often good at asking whether an action is allowed. They are worse at asking whether the action makes sense. Did this maintainer account push a commit? Yes. Did this repo gain a file that causes an AI coding tool to run a credential harvester when opened? Also yes. Which one does your alerting understand?
The gap is where the worm lives.
And the worm is learning the workflow. It knows developers open repos in rich editors. It knows agents consume repo-local instructions. It knows credentials sit near build systems. It knows CI/CD and cloud identity are braided together. It knows the fastest path to production is often through a developer’s convenience.
That last part should make everyone meaner about convenience.
What Actually Changes
The immediate advice is the usual bitter medicine: rotate credentials if exposed, audit recent pulls, inspect affected repositories, monitor GitHub tokens, review local editor and agent configs, restrict automatic execution, pin and verify tooling, treat workspace files as untrusted input, and stop storing god-mode secrets where a developer tool can casually find them.
Boring. Necessary. Load-bearing.
The bigger change is cultural. Teams need to stop treating the repository as a passive object. A repo is now a prompt surface, an editor surface, a CI surface, a package surface, and sometimes a cloud-deploy surface. It can instruct tools before the human understands what changed.
So the controls have to move earlier.
Agents should load unknown repositories in constrained mode. Editors should make automatic repo-local execution painfully explicit. Organizations should separate read-only code inspection from tool execution. Local credentials should be scoped like they might be read by an idiot with root, because one day the idiot may be a model with a context window and no sense of consequences.
Most of all, developers need a new reflex.
Cloning a repo is no longer just downloading text.
Opening a repo is an interaction.
That sentence sounds paranoid until the invoice arrives.
The Repository As Habitat
By the time I closed the tabs, the story had split into the usual layers. TechCrunch had the public-facing report. StepSecurity had the execution mechanics. Cloudsmith had the worm lineage and the uncomfortable note that conventional trust signals can become camouflage. OpenSourceMalware had the ugly timeline, including the 73 repos disabled in 105 seconds.
The number is cinematic. Seventy-three repos. One hundred and five seconds. A little automated guillotine falling across Microsoft’s own public code.
But the number is not what stayed with me.
What stayed with me was the verb.
Open.
Open the repo. Open the workspace. Open the assistant. Open the terminal. Open the path between source code and identity, between documentation and execution, between helpful automation and credential theft.
We used to think of repositories as places where software lived.
Now they are habitats for tools.
Some of those tools have agents in them. Some of those agents have permission. Some of those permissions touch secrets. Some of those secrets touch production.
Miasma did not have to be brilliant. It only had to understand where the trust lived.
Apparently, the trust was sitting in the repo, waiting to be opened.