Full Report
Microsoft's GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, per OpenSourceMalware. The development has GitHub to disable access to those repositories. "Access to this
Analysis Summary
# Incident Report: Miasma Worm Impacting Microsoft GitHub Organizations
## Executive Summary
In early June 2026, a self-replicating supply chain worm known as "Miasma" (a variant of Mini Shai-Hulud) compromised 73 Microsoft-affiliated GitHub repositories. The attack utilized stolen credentials to inject malicious payloads into critical ecosystems, including Azure and Durable Task frameworks. The worm uniquely targets developer environments by executing via AI coding agents and standard development tools, leading GitHub to take the drastic step of disabling access to the affected repositories.
## Incident Details
- **Discovery Date:** June 2026
- **Incident Date:** May – June 2026 (Ongoing campaign)
- **Affected Organization:** Microsoft (Azure, Azure-Samples, Microsoft, MicrosoftDocs)
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** Likely credential theft/compromise of PyPI maintainer accounts.
- **Details:** The "durabletask" PyPI package was originally infected by threat group TeamPCP in May 2026 to deliver Linux infostealers.
### Lateral Movement
- **Details:** Using credentials harvested in May, attackers moved laterally across GitHub Organizations. Security researchers hypothesize that the credentials used in the initial May compromise were never fully rotated or secured, allowing the "Miasma" variant to spread to 73 sibling repositories across Azure and Microsoft organizations.
### Data Exfiltration/Impact
- **Details:** Malicious code was pushed directly to source repositories. Specifically, a 4.3 MB payload runner was planted and configured to auto-execute when cloned by developers.
### Detection & Response
- **Discovery:** Identified by security researchers at OpenSourceMalware, SafeDep, and independent researcher Paul McCarty.
- **Response Actions:** GitHub Staff disabled public access to impacted repositories (e.g., `Azure/azure-functions-host`) citing violations of Terms of Service.
## Attack Methodology
- **Initial Access:** Valid accounts (likely via stolen GitHub/PyPI tokens).
- **Persistence:** Direct commit of malicious payload runners into source code repositories rather than just registry poisoning.
- **Defense Evasion:** Operates within legitimate channels; does not exploit software vulnerabilities but abuses the trust model of open-source collaboration.
- **Lateral Movement:** Self-replicating worm logic; using compromised secrets to infect downstream/sibling repositories.
- **Impact:** Supply chain compromise; 4.3 MB payload runner.
- **Execution:** Hooks into developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and `npm test` scripts. The attack "detonates" when a developer opens the cloned repo in an AI coding agent.
## Impact Assessment
- **Financial:** Undisclosed; significant engineering hours required for cleanup and auditing.
- **Data Breach:** Source code integrity compromise; potential theft of secrets/environment variables from developer workstations.
- **Operational:** High disruption; 73 repositories disabled, including core Azure Function components and the entire Durable Task ecosystem.
- **Reputational:** High; demonstrates that even major organizations like Microsoft are vulnerable to sustained credential-based supply chain worms.
## Indicators of Compromise
- **Repository Descriptions:**
- "Miasma: The Spreading Blight"
- "Hades - The End for the Damned"
- **File Indicators:** 4.3 MB staged Bun loader/payload runner within repository files.
- **Behavioral:** Unauthorized commits to `azure-functions-host`, `durabletask-*`, and `mantine-datatable` related repos.
## Response Actions
- **Containment:** GitHub disabled access to 73 repositories across `Azure`, `Azure-Samples`, `Microsoft`, and `MicrosoftDocs`.
- **Eradication:** Removal of malicious commits and rotating compromised developer credentials (ongoing).
- **Recovery:** Restoration of repositories from known-clean states.
## Lessons Learned
- **Credential Hygiene:** An initial compromise in May was not fully remediated, allowing a second, larger wave in June.
- **AI Tool Risk:** Modern AI coding agents and IDEs serve as new execution vectors for malware (config-injection).
- **Trust Model:** Legitimate organizations (Microsoft) can be used as unwitting hosts for malware distribution, bypassing traditional "reputation" filters.
## Recommendations
- **Rotate Secrets:** Immediately rotate all Personal Access Tokens (PATs) and SSH keys following any suspected breach, even if only one repository appears affected.
- **Enforce MFA:** Mandatory hardware-based MFA for all maintainers of sensitive organizations.
- **Sandbox AI Tools:** Run AI coding agents and modern IDEs in isolated containers or virtual machines to prevent "clone-and-detonate" malware from accessing the primary workstation.
- **Branch Protection:** Implement strict branch protection rules requiring multiple reviews for commits, even from "trusted" organization members.