- What: The Miasma worm infected 73 Microsoft GitHub repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations, forcing GitHub to disable repository access.
- Impact: The worm exploits legitimate authentication channels to self-replicate, spreading through compromised developer credentials and AI coding tools, with the ability to exponentially propagate downstream.
- Fix / mitigation: GitHub has disabled access to affected repositories; organizations must rotate all credentials with access to compromised repos and audit CI/CD pipelines for unauthorized changes.
- Who's at risk: Any developer using affected Microsoft repositories, particularly Azure Durable Task ecosystem components, and anyone using AI coding agents like Cursor, Claude Code, Gemini CLI, or VS Code with infected repos.
Microsoft's GitHub infrastructure has fallen victim to one of the most sophisticated self-replicating supply chain attacks observed to date. The Miasma worm compromised 73 repositories across four Microsoft organizations—Azure, Azure-Samples, Microsoft, and MicrosoftDocs—forcing GitHub to disable access pending investigation. The attack represents a fundamental breakdown in the trust model underlying modern software delivery.
GitHub now displays a violation notice when users attempt to access affected repositories like Azure/azure-functions-host: 'Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service.' The breadth of the compromise spans critical Microsoft infrastructure, including the entire Azure Durable Task ecosystem.
The Durable Task Re-Compromise
The attack specifically targeted Microsoft's Durable Task framework, which had already suffered a compromise last month when TeamPCP infected the durabletask PyPI package with an information stealer for Linux systems. This time, the worm took down not just the root repository but every implementation in the ecosystem: .NET, Go, Java, JavaScript, MSSQL, Netherite, and protobuf variants.
Security researcher Paul McCarty (6mile) identified the pattern: 'When the repo at the root of last month's compromise is the hub of this month's takedown, that is not a coincidence—that is the same wound reopening. Whoever held those credentials in May plausibly never fully lost them.'
Affected repositories include critical Microsoft infrastructure components:
- azure-search-openai-demo-purviewdatasecurity
- Connectors-NET-LSP and Connectors-NET-SDK
- durabletask, durabletask-dotnet, durabletask-go, durabletask-js, durabletask-mssql
- functions-container-action
- homebrew-functions
- llm-fine-tuning
- windows-driver-docs
Worm Evolution and Spread Mechanics
Miasma is assessed as a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. The malware has continued to mutate and refine its tactics throughout June, infecting additional packages daily. OpenSourceMalware tracking shows 95 repositories currently infected, using four distinct naming patterns for exfiltrated data: 'Miasma: The Spreading Blight' (82 repositories), 'Miasma : The Spreading Blight,' 'Miasma - The Spreading Blight,' and 'Hades - The End for the Damned' (13 repositories).
The worm has evolved beyond traditional package registry poisoning. In a significant tactical shift, Miasma bypassed the npm registry entirely in recent attacks, pushing malicious code directly to source repositories. The attack compromised icflorescu/mantine-datatable and four related repositories: mantine-contextmenu, next-server-actions-parallel, mantine-datatable-v6, and mantine-contextmenu-v6.
AI Coding Tool Weaponization
SafeDep's analysis revealed a disturbing evolution in the attack vector. The malicious commits added no dependencies but planted a 4.3 MB payload runner configured to execute automatically through five popular AI-assisted development tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script. The attack detonates when a developer clones an affected repository and opens it in an AI coding agent.
FalconFeeds.io identified the core vulnerability: 'The worm operates entirely within legitimate channels. It does not exploit a vulnerability in npm or GitHub—it exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe.'
The dropper uses a staged Bun loader, repurposed for GitHub source-repository persistence rather than traditional registry poisoning. From the platform's perspective, every malicious publish event appears indistinguishable from a routine update because the attacker controls both the signing key and the maintainer account.
Self-Replication and Exponential Spread
What separates this campaign from conventional supply chain attacks is its ability to exponentially propagate. The worm doesn't just compromise a single package—it infects downstream users who then become vectors for further spread. Each compromised developer's credentials enable the worm to push malicious commits to repositories they maintain, creating a cascading infection chain.
This self-replicating capability makes Miasma one of the most significant and sustained supply chain campaigns observed to date. Conventional defenses have largely failed because the malware operates within the bounds of normal development workflows, using stolen but valid credentials to perform actions that appear legitimate to platform security controls.
Broader Campaign Context
The Microsoft GitHub compromise is part of a larger wave of attacks. Related incidents this week include the compromise of Red Hat npm packages and the theft of OpenAI Codex authentication tokens through the codexui-android npm package. Security teams at OpenSourceMalware and SafeDep have identified common infrastructure and tactics linking these incidents to the same threat actor or coordinated campaign.
The campaign has exposed fundamental weaknesses in how open-source ecosystems handle trust and authentication. Package registries and source control platforms assume that authenticated actions by verified maintainers represent legitimate updates, but this trust model collapses when attackers compromise the maintainer credentials themselves.
Mitigation Requirements
Organizations using affected Microsoft repositories must take immediate action:
- Rotate all credentials with access to the 73 compromised repositories and any downstream dependencies
- Audit CI/CD pipelines for unauthorized changes or newly added secrets
- Review commit history for the four malicious repository naming patterns
- Scan developer workstations for the 4.3 MB Bun loader payload
- Temporarily restrict AI coding tool access to internal repositories until verification
- Implement commit signing verification and require code review for all dependency updates
Security teams should monitor for repositories with descriptions matching 'Miasma: The Spreading Blight' or 'Hades - The End for the Damned' patterns, which indicate exfiltrated credentials. The persistence of compromised credentials from the May durabletask incident demonstrates that simple password rotation is insufficient—full credential revocation and re-issuance is required.
This incident marks a threshold moment for software supply chain security. The combination of self-replication, AI tool integration, and exploitation of platform trust models creates an attack surface that existing defenses are not equipped to handle. Organizations must fundamentally rethink their approach to dependency management and developer credential security.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us