The Miasma Backdoor: When Your AI Coding Agent Installs Malware With Your Own Keys

Your Claude Code agent just opened a package. The package is signed by Microsoft. The SLSA provenance checks out. The package has malware. Your cloud credentials are gone.

For the second time in two weeks, attackers compromised a verified Microsoft GitHub publishing account. This time they laced 73 open-source packages with Miasma, a credential-stealing malware that triggers automatically when an AI coding agent opens it. The same Microsoft account had been breached in mid-May on a package with 400,000 monthly downloads. The malware steals AWS, Azure, GCP, Kubernetes, password manager, and OIDC token credentials, then spreads laterally through cloud infrastructure. But here is what makes it different from every other supply chain attack we have seen: it does not need to trick a human. It exploits the trust model of a machine.

Your Claude Code, Cursor, or Copilot agent just became your biggest attack surface.

Miasma represents a new class of supply chain attack specifically engineered for AI coding agents. Unlike traditional malware that targets human developers via social engineering, Miasma targets the agent's automatic execution loop: it trusts cryptographically verified provenance (SLSA attestation), opens compromised packages during analysis or installation, and executes malicious payloads with elevated cloud credentials. The agent trusts what the human cannot verify. This is not a bug in the packages. It is a structural vulnerability in how AI agents interact with the software supply chain.

The Attack: How Miasma Works

The timeline is brutal. The same Microsoft GitHub publishing account was breached twice in two months. In mid-May, attackers hit the durabletask Python SDK, a package pulling 400,000 downloads per month. In early June, the threat actor TeamPCP compromised 73 additional packages under the same account, injecting a 28KB credential stealer that targets over 90 developer tool configurations.

The payload is surgical. Miasma harvests credentials from AWS, Azure, GCP, Kubernetes clusters, password managers, and OIDC tokens used in SLSA provenance attestation. But the real innovation is in the delivery. Miasma generates a uniquely encrypted payload for each infection, meaning every compromised machine receives a different file hash. Standard hash-based detection, the backbone of most malware scanners, is useless against it. Your security tool sees a new file every time, and your allowlist sees nothing wrong because the provenance is still cryptographically signed.

The OIDC token theft is the most insidious part. SLSA (Supply-chain Levels for Software Artifacts) was designed to prove packages have not been tampered with. Attackers hijacked the proof mechanism itself. When an agent verifies SLSA attestation, it exchanges an OIDC token with the signing infrastructure. Miasma steals that token during the exchange, turning the verification you trust into the compromise vector itself.

Once it has credentials, Miasma spreads laterally. One infected agent becomes a beachhead. It moves through cloud infrastructure to other machines, stealing more keys, accessing more resources. The fact that the same Microsoft account was compromised a second time suggests either incomplete credential remediation after the first breach, or ongoing lateral credential theft through other infected machines. The first attack was not fully contained. It was a foothold.

Why AI Agents Are Uniquely Vulnerable

Human developers get suspicious. They read release notes. They check contributor profiles. They hesitate before running pip install on a package they do not recognize. AI agents do not have skepticism. They have trust models.

When Claude Code analyzes a codebase, it opens dependencies to understand how they work. When Cursor suggests a library, it reads the package contents. When Copilot installs a tool chain, it executes the setup script. These actions happen automatically, without a dialog box asking "Are you sure?" The agent assumes that a cryptographically verified package is safe, because that is what the verification was built to mean.

The credential problem makes this exponentially worse. AI coding agents do not run with a single SSH key. They run with the full suite: AWS API keys, Azure service principals, GCP service accounts, Kubernetes kubeconfigs, GitHub personal access tokens, and OIDC tokens for CI/CD pipelines. Often these credentials are broader than any individual developer's access, because the agent needs to read across repositories, deploy to multiple environments, and query cloud APIs. The agent has the keys to production, and it is downloading packages right now.

The speed and scale compound the exposure. A human might review five dependencies in a day. An agent scans dozens per session. One infected package does not hit one developer. It hits thousands of agents simultaneously. The attack surface is not a person. It is a network of automated processes with elevated privileges and no judgment.

The Structural Failure: SLSA Provenance as Weapon

SLSA was built to solve a real problem. Software supply chains are complex. Packages pass through multiple hands before they reach a developer. SLSA attestation cryptographically verifies that a package was built from a specific source, by a specific process, and has not been modified since. It was supposed to be the trust anchor.

Miasma turns that anchor into a weapon. The Microsoft GitHub account that published these packages was compromised at the source. The packages themselves were signed with legitimate credentials. The SLSA attestation verified them as authentic Microsoft artifacts. The verification mechanism worked exactly as designed. It just verified malware.

The OIDC token theft during provenance verification creates a cascade failure. The agent verifies the package, the verification process leaks the token, the attacker uses the stolen token to sign more malicious packages, and those packages also pass verification. The loop feeds itself. The mechanism designed to prevent tampering becomes the mechanism that enables it.

The repeated breach of the same Microsoft account points to a deeper problem. Either the first compromise was not fully remediated (credentials were not rotated, access was not revoked), or the lateral spread from the first attack provided the access needed for the second. Both scenarios point to the same conclusion: our supply chain recovery processes are not designed for attacks that move through automated agents. We patch the human systems. The machine systems keep bleeding.

Defenses That Actually Work

The good news is that the attack surface is specific, and the defenses are implementable this week.

Package allowlisting is the first line. Agents should only install from explicitly approved sources, not "anything with good provenance." Provenance verifies origin. It does not verify intent. A verified Microsoft package that has been compromised at the source is still a verified package. Allowlisting by repository, by maintainer, and by specific version creates a smaller target than trusting the entire signed ecosystem.

Agent sandboxing is non-negotiable. Run AI coding agents in isolated environments without cloud credentials. The agent that reads code should not be the agent that deploys to production. Separate the analysis environment from the deployment environment. If the analysis agent gets compromised, it has nothing to steal.

Content verification before consumption means inspecting package contents, not just signatures. Static analysis of the actual code, behavior monitoring during installation, and dynamic analysis in a sandbox can catch payloads that pass signature verification. The signature tells you where the package came from. The content tells you what it does.

Credential rotation after each agent session limits the blast radius. If an agent gets compromised, the keys it accessed during that session should be rotated before the next session begins. This turns a persistent breach into a momentary exposure. The attacker gets credentials that expire before they can use them.

Parallel auditing adds a verification layer. Have a second, read-only agent scan dependencies before the production agent touches them. The auditing agent has no write access, no deployment credentials, and no ability to execute code. It reads, analyzes, and flags suspicious patterns. If it gets compromised, the attacker gains nothing. If it finds something, the production agent never sees it.

The Broader Supply Chain Crisis

The repeated breach of the same Microsoft account is a warning signal. This is not a one-off. It is a pattern. Either persistent compromise or incomplete recovery enabled the second attack, and both point to supply chain processes that assume human-scale response times. When an attack moves through automated agents, the response needs to be automated too. Manual credential rotation and hand-reviewed access revocation do not match the speed of lateral agent-to-agent spread.

The FusionAuth 2026 AI and Identity Report highlights a parallel gap. Machine identities accessing AI services now diverge from human identity management. We have IAM for humans: roles, permissions, access reviews, offboarding procedures. Agent authentication is still an afterthought. An agent's API keys often outlive the project that created them. They do not show up in access reviews because they are not tied to a person. They do not get rotated because nobody owns them. Miasma did not just steal credentials. It exploited the identity gap between human and machine access management.

The Close

Every engineering team running Claude Code, Cursor, Copilot, or Gemini CLI is exposed to an attack vector that did not exist six months ago. Miasma is not hypothetical. It is the second confirmed breach in two weeks on a verified publishing account. The malware steals your cloud credentials, generates a unique payload for every infection to defeat your scanners, and spreads laterally through the infrastructure your agent was supposed to manage.

Your agent has the keys to production, and it is downloading packages right now. Lock down the environment tonight.