CloudCodeTree LogoCloudCodeTree
HomeResumeAI NewsContactSchedule
CloudCodeTree Logo
CloudCodeTree
← Back to AI NewsMiasma worm backdoors Claude Code, Cursor, and Gemini configs — 57 npm packages compromised

Miasma worm backdoors Claude Code, Cursor, and Gemini configs — 57 npm packages compromised

Chris Harper

2 min read

Jun 11, 2026 · 14:00 UTC

AI
Security
Developer Tools

A supply-chain attack security teams are calling Miasma compromised 57 npm packages — including @vapi-ai/server-sdk (408K+ monthly downloads) and ai-sdk-ollama (120K+) — in under two hours on June 3, 2026. The attack is notable for two things that go beyond a standard credential-harvesting worm: its evasion technique and its deliberate targeting of AI coding-assistant configurations.

The evasion — "Phantom Gyp". Rather than the preinstall or postinstall lifecycle hooks that npm security scanners typically watch, Miasma used a 157-byte binding.gyp file — the config format for native C++ add-ons — to trigger code execution during npm install. Most install-script auditing tools don't monitor binding.gyp. Defense: npm install --ignore-scripts blocks it; pinning dependency integrity hashes in lockfiles catches tampered packages before they run.

The AI assistant targeting. The payload deliberately injected persistent backdoor files into six environments:

  • .claude/setup.mjs and .claude/settings.json (Claude Code)
  • .cursor/rules/setup.mdc (Cursor)
  • .gemini/settings.json (Google Gemini)
  • .vscode/tasks.json and .vscode/setup.mjs (VS Code)
  • .github/setup.js (GitHub Actions)

Each file claimed legitimacy as "required for proper IDE integration." Any future project-open in those tools runs attacker-controlled code silently.

CI/CD credential exfiltration. On GitHub Actions runners, the worm scraped AWS IMDSv2 tokens, Azure IMDS credentials, GCP service accounts, GitHub Actions OIDC tokens, and 1Password/gopass stores from process memory. It then republished its own reinfected packages with forged Sigstore provenance attestations to continue propagating downstream.

Mitigation checklist: update or remove affected packages; audit repositories for injected files in .claude/, .cursor/, .gemini/, .vscode/, and .github/; rotate all CI/CD secrets as if exposed; add --ignore-scripts to default npm install invocations.

Sources: Microsoft Security Blog, StepSecurity (Phantom Gyp), Wiz Blog, Snyk