The Miasma Worm: How AI Coding Agents Became a Supply Chain Attack Surface
The recent incident on Microsoft’s Azure Functions Action and 72 other repositories highlights how AI coding agents can become a significant attack surface. Microsoft discovered the Miasma worm—a new class of threat—through this experience.
What Happened
Microsoft's Azure Functions Action and 72 other repositories were disabled after an undisclosed supply chain attack that targeted their AI coding agents. The Miasma worm exploited automated workflows where AI assistants read code, process results, or interact with CI/CD tools to propagate malicious changes across connected repositories. This was not a misconfigured secret or a phishing link; it involved the very tools and processes used by these AI systems.
How It Works
The Miasma worm leveraged the fundamental trust AI agents have in their inputs—tool results, context, and commands—in the CI/CD workflow. By poisoning content that AI agents would consume as tool results or context, it caused them to propagate malicious changes across repositories they had write access to.
Each infected agent became a vector into the next repository, where subsequent AI systems read it and followed the same pattern. The worm dynamic is what makes this attack severe: one compromised input → agent takes action → that action poisons another repo → another agent reads it → repeat. No human in the loop at any step. This was unlike traditional attacks that involved phishing or misconfigured secrets; rather, it exploited a fundamental flaw in how AI agents operate.
Detection Gap
The tools designed to stop this type of attack were all built for the pre-agentic world: GitHub Actions security controls watch for known-malicious actions and enforce workflow permissions. They don’t inspect the semantic content of what an AI agent has been told to do or why, while SAST/DAST tools scan code for vulnerabilities but lack visibility into whether the instruction that produced the code was adversarial.
Sentinel's Role
The incident underscores a critical gap: nothing was sitting between the tool result and the agent, asking if this content is trying to hijack what the agent does next. This oversight led to its detection by Sentinel’s agentic_tool_abuse detection layer, which intercepts tool results before they reach AI agents.
Sentinel's transparent proxy intercepts the tool result, runs it through all three detection layers (Layer 1: Normalization strips invisible Unicode characters and homoglyphs; Layer 2: Fast-path regex catches high-confidence signatures like authority hijacks or prompt extraction attempts), and then checks if any of these signs indicate a potential attack. This layer prevented the propagation of malicious changes, ensuring that AI agents acted on clean, safe inputs.
Conclusion
The Miasma worm demonstrates how modern CI/CD workflows can become vulnerable to new types of attacks through weaknesses in trust models centered around AI coding agents and agentic work flows. Understanding these vulnerabilities is crucial for anyone running such systems today and underscores the importance of continuous security monitoring and advanced detection technologies like Sentinel’s agentic_tool_abuse layer.
For more insights into this incident, visit StepSecurity's blog.
Source: DEV Community. AI-assisted editorial synthesis — TechnoExpress.