Security dominated this week. A worm hit GitHub's own repos, npm is closing attack vectors that have been open for years, and the developer environment itself is now officially part of the attack surface. But there was plenty of forward-looking news too. Here's what mattered.
The Miasma worm hit 73 Microsoft repos — and your IDE was the entry point
On June 5, GitHub disabled 73 Microsoft-owned repositories after the Miasma worm used a compromised contributor account to plant a credential-harvesting payload. The infected repos spanned Azure, Azure-Samples, Microsoft, and MicrosoftDocs — including well-used projects like azure-search-openai-demo and the Durable Task libraries. GitHub's automated systems contained it in 105 seconds. But the detail that should get your attention: the payload triggered when a developer opened the repo in an IDE or AI coding tool — Claude Code, Gemini CLI, Cursor, or VS Code. Just opening a trusted repo was enough.
Read more
npm v12 ships in July — install scripts stop running by default
This is the one with a hard deadline. Starting in July, npm v12 will no longer auto-execute install scripts, resolve Git dependencies, or pull from remote URLs. All of it becomes opt-in. It's a direct response to the wave of supply chain attacks that hit the JavaScript ecosystem over the past year — including the hijacking of 18 popular packages with 2.6 billion combined weekly downloads. The average npm project pulls in 79 transitive dependencies. Any one of them could carry a malicious script. After July, those scripts won't run unless you say so. Run npm approve-scripts --allow-scripts-pending now to find out what's in your dependency chain before the upgrade forces your hand.
Read more
VS Code 1.123 adds 1M token context windows, session sync, and a research agent
The headline feature is support for 1-million-token context windows with compatible models, including Claude Opus 4.7 and GPT-5.5 — useful for complex projects where losing context mid-session is a real workflow problem. But the more interesting addition might be session sync: an automatic backup of chat sessions to GitHub that captures conversation history, files touched, and repo context. The companion Chronicle feature lets you query that history in natural language, generate standup reports, and search past work by topic or file. The parallel agents view and a new research agent (preview) round out an update that continues Microsoft's push to make VS Code the center of agentic development.
Read more
Todd Fisher, CEO of CTM, makes a point worth sitting with: if your team becomes 10x more productive with AI, so does your competitor's. The baseline is shifting for everyone. His candid observation about where it actually breaks down: code generation is fast now, but reviewing AI-generated output is still slow, and that's the new bottleneck. Features are nearly complete but stalled due to insufficient time to review everything individually. Speed without oversight isn't a win.
Read more
Agentic AI in production: $3.3M in savings and the failure patterns nobody talks about
From Info-Tech LIVE 2026 in Las Vegas — the organizations seeing real results from agentic AI aren't the ones with the most budget or the flashiest tools. They're the ones who got serious about governance and failure patterns early. The $3.3M savings figure is real, but the more useful part of this piece is the failure taxonomy: what actually goes wrong when agents hit production and how to avoid it.
Read more
From pilot to production: the agentic AI governance playbook
Most agentic AI pilots succeed. Most production deployments don't — at least not on the first try. The gap isn't a technology problem; the agents work. The problem is that organizations treat the move to production as a scaling exercise when it's actually a governance exercise. This piece lays out the playbook for getting agents out of the lab and into the real world without breaking things.
Read more
The developer survival guide for the age of agentification
Agents are taking on more of the work that developers used to do. This isn't a theoretical future — it's already happening. Here's a practical look at what skills still matter, what's changing, and how to position yourself for what comes next.
Read more
Also from Coder Legion this week
The through-line this week: the developer environment is now a target, not just the code. Miasma and the npm changes aren't separate stories — they're the same story.
See you next Friday.
Developer Weekly Briefing is published every Friday on Coder Legion. Written by Tom Smith.