Miasma Hit Microsoft. It Came for Credentials. Riptides Has None.

On June 8, GitHub disabled at least 70 Microsoft repositories after a credential-stealing worm called Miasma spread through them. The hit list reads like a directory of modern AI engineering: Azure/azure-functions-host, the entire durabletask ecosystem, and tooling consumed daily by Claude Code, Gemini CLI, Cursor, and VS Code. It’s the second compromise of the same Microsoft ecosystem in under a month.

The question that hit a lot of CISO inboxes this morning is straightforward: would Riptides have prevented this?

The honest answer is NO and YES. Riptides would not have stopped the repos from being compromised. That’s a code-integrity problem at a different layer. What Riptides would have done is make the malware come up empty. Miasma exists to harvest credentials. On a Riptides protected workload, service or AI agent there are no credentials to harvest.

That’s the entire thesis. The rest of this post is the work behind it.

What’s actually new about Miasma

Three details from Cloudsmith’s analysis matter for the threat model:

The attack used legitimate identity, not a software bug. Attackers compromised a Red Hat maintainer’s GitHub account and used valid OIDC tokens to publish malicious packages with valid SLSA provenance. Every conventional integrity control — maintainer signing, build attestation, registry scanning — passed.

The trigger is opening a project in an AI coding tool. Miasma planted droppers directly in source repos for high-value targets. The payload fires when an engineer clones the repo and opens it in Claude Code, Gemini CLI, Cursor, or VS Code. Not at npm install. Not in CI. At the moment an AI coding agent reads the project.

The target is cloud identity. Earlier Shai-Hulud variants scraped local secrets. Miasma ships dedicated harvesters for Azure and GCP credentials on both developer workstations and CI runners. The intent is to leave the code and get into the cloud.

The pattern itself isn’t new, we wrote about it months ago in Shai-Hulud 2.0: Why Secrets Need to Die and demoed it live in Growing Threat of npm Supply Chain Attacks. The payload gets sharper, the assumption it exploits never changes: credentials exist as files and environment variables on the machines that use them. That is the assumption to break.

What Riptides does not do

I’ll be direct, because this is where most vendor blog posts overclaim.

Riptides would not have prevented Miasma from compromising the Microsoft repos. That’s upstream of us — branch protection, account hardening, and artifact governance are the right controls there.

Riptides would not have prevented an engineer from cloning a poisoned repo into VS Code. Code review and dependency hygiene still matter.

That’s the honest scope. Now the part that matters.

What Riptides does: make the payload worthless

On workloads we cover - production servers, workloads, AI agents, K8s, bare metal or VM based clusters, and crucially CI/CD runners — there is no static credential surface for Miasma to scrape.

Static API keys for OpenAI, Anthropic, Azure, AWS, GCP, GitHub, databases, Vault, etc they don’t exist as files, environment variables, or keyring entries. Credentials are issued just-in-time, bound to the specific process that needs them, and injected on the wire from kernel space at the moment of the connection. The credential never lands in user space at all.

The implication is the part that should interest a CISO:

• The dropper’s first move returns nothing. Miasma enumerates ~/.aws/credentials, ~/.config/gcloud, .npmrc, the OS keyring, environment variables in /proc/*/environ. On a Riptides workload these are empty. The collector runs, the exfil POST still fires, the body is blank.
• Credentials captured in flight can’t be replayed. Each credential is cryptographically bound to an attested workload identity. A token harvested on one machine cannot be used from anywhere else.
• The dropper can’t exfiltrate to wherever it wants. Per-process egress policy is evaluated below user space. A poisoned extension can’t open a connection to an unapproved destination, regardless of what credentials it managed to scrape.
• Investigation is a single query. Every connection emits an attributable record: which process, which identity, which destination, which policy. Microsoft is reconstructing the Durable Task timeline by hand. On a Riptides workload, you’d have it in minutes.

The economic logic of credential-stealer campaigns is straightforward — the attacker invests in delivery because the credentials are valuable. Remove the credentials and the campaign stops being profitable.

The CI angle: partial prevention is real prevention

Cloudsmith is explicit that CI/CD runners are an explicit Miasma targets and this is where the prevention is strongest.

Normal Miasma flow on a build agent: dropper finds the runner’s GitHub token, AWS deploy credentials, Azure service principal secret, signing keys, npm publish tokens. Cloud pivot follows within hours. On a Riptides-protected runner the dropper finds none of them. The runner authenticates to Azure, AWS, GCP, and GitHub through federated workload identity exchanged in the kernel at request time. The credential bridge between the runner and the cloud doesn’t exist for the malware to cross.

This is the part of the breach that gets prevented at the cascade level, not just blunted.

The takeaway

For the next 48 hours, the right response to Miasma is the one Cloudsmith laid out: assume exposure, rotate every credential the malware can touch, audit your GitHub for new repos and unfamiliar workflows.

The strategic posture is different. Miasma is a template, not an endpoint. Every assumption it exploits is still true across the industry: maintainer credentials remain the porous perimeter, AI coding agents are now code-execution environments rather than editors, and credentials on disk are the actual asset attackers want.

The first two are hard to fix and will keep failing. The third one is fixable today.

Static analysis checks code before it runs. Runtime identity controls what it can do once it’s running. Miasma slipped past every static check on the planet. Only the second layer would have stopped it from paying off. We believe that Riptides is that layer.

---

If your workloads, CI runners or AI agents touch anything you’d rather not see in a Miasma postmortem, request a demo.

---

If you enjoyed this post, follow us on LinkedIn and X for more updates. If you'd like to see Riptides in action, get in touch with us for a demo.