Miasma / TeamPCP supply-chain worm: from npm credential theft to AI coding-agent config injection across the week

The Miasma arc produced the week's clearest attack-evolution story — two distinct technique pivots in five days, both in a single actor's ongoing CI/CD intrusion campaign.

Monday 2 June (daily 2026-06-02): TeamPCP used a compromised Red Hat maintainer GitHub account to inject malicious CI/CD workflows into 32 packages in the @redhat-cloud-services npm namespace via GitHub Actions OIDC trusted-publishing abuse, poisoning ~80,000–117,000 weekly downloads across 96 releases (Wiz; Aikido Security; Socket). The "Miasma" payload — a Mini Shai-Hulud descendant — swept GitHub Actions secrets, AWS keys, SSH keys, and added new dedicated collectors for GCP service-account and Azure managed-identity tokens, signalling a pivot from developer-host theft to cloud-account takeover.

Friday 6 June (daily 2026-06-06): Rather than continuing to poison npm packages, the actor shifted technique entirely: malicious commits were planted directly in the source repositories of 73 Microsoft and Microsoft-adjacent GitHub repos, wiring execution to AI coding agent workspace-config files rather than npm install lifecycle hooks (OpenSourceMalware; The Hacker News). GitHub disabled all 73 repos in a 105-second automated sweep. StepSecurity's forensic analysis found the entry credential was the same contributor account compromised in the May 19, 2026 PyPI attack (TeamPCP infrastructure overlap); full credential revocation was not confirmed. Azure Durable Task CI/CD pipelines that reference azure-functions-action were globally disrupted.

At week close, the Cargo (Rust) registry remained un-hit (the W22 looking-ahead prediction it was the next target was not confirmed in this window). The AI-coding-agent config injection vector is a structural expansion of the attack surface: any CI/CD environment where CLAUDE.md, .cursor/rules, or .gemini/ files are treated as executable code rather than data is now an active target class.