Credential harvesting in AI coding tools - are your workloads exposed?

TL;DR: Miasma malware spread through at least 70 Microsoft repositories and was designed to harvest cloud and developer credentials from AI coding environments, according to Riptides. The incident shows that static integrity checks can pass while credential theft still succeeds, because the real target is the secrets stored on disk and in environment variables.

NHIMG editorial — based on content published by Riptides: Miasma Hit Microsoft. It Came for Credentials. Riptides Has None

By the numbers:

• On June 8, GitHub disabled at least 70 Microsoft repositories after the Miasma worm spread through them.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: What breaks when malware can read secrets from AI coding environments?

A: When malware can inspect AI coding environments, the normal assumption that secrets stay hidden until a legitimate process uses them no longer holds.

Q: Why do service accounts and CI runners increase cloud breach risk?

A: Service accounts and CI runners often hold the exact credentials attackers want: deploy tokens, publishing secrets, and cloud access with broad authority.

Q: How do security teams know whether stolen credentials can be replayed?

A: Teams should ask whether the secret is portable, long-lived, and valid outside the original process, host, or network context.

Practitioner guidance

• Remove static secrets from AI development paths Eliminate cloud keys, package tokens, and database credentials from developer workstations, AI coding tools, and build runners where malware can enumerate files, variables, and keyrings.
• Bind high-value access to workload identity Use federated, workload-bound credentials for CI/CD and production systems so a stolen token cannot be replayed from another host or session.
• Harden AI coding environments as exposure surfaces Treat Claude Code, Gemini CLI, Cursor, VS Code, and similar tools as places where repository content and local secrets can collide, then restrict what credentials are present during interactive sessions.

What's in the full article

Riptides's full research post covers the operational detail this post intentionally leaves for the source:

• The exact Miasma behavior observed across Microsoft repositories and the repository types it targeted.
• The full breakdown of how the payload searches for Azure, AWS, GCP, GitHub, and local developer secrets.
• The workload identity architecture Riptides describes for preventing replay on CI runners and AI agents.
• The incident timeline and the vendor's response framing around static analysis versus runtime identity controls.

👉 Read Riptides's analysis of the Miasma credential-stealing worm and NHI exposure →

Credential harvesting in AI coding tools - are your workloads exposed?

Explore further

View Full Forum →  |  NHI Foundation Course →