Microsoft GitHub Repositories Hit by Miasma Worm Supply Chain Attack
A self-replicating malware called Miasma compromised 73 Microsoft GitHub repositories on June 5, 2026, exploiting a gap in how developers use AI coding tools. The attack used stolen contributor credentials to inject malicious configuration files into the Azure/durabletask repository, which then harvested credentials from developers' machines when they opened the code in tools like Claude Code, Cursor, and VS Code.
GitHub disabled all 73 affected repositories within 105 seconds of detecting the intrusion. The speed of the response limited immediate damage, but the incident exposed a fundamental weakness: attackers can now trigger code execution simply by having a developer open a repository in an AI tool, bypassing traditional security checks.
How the Attack Worked
The attacker used a compromised contributor account to push a malicious commit to Azure/durabletask on June 5. The commit was backdated to 2020 and included a [skip ci] flag to avoid triggering automated pipeline checks. Rather than modify source code, the attack added five configuration files designed to activate when the repository opened in different tools.
Each configuration file pointed to a 4.3-4.6 MB obfuscated JavaScript payload stored in .github/setup.js. When a developer opened the repository, the payload executed automatically and harvested credentials for AWS, Azure, GCP, Kubernetes, npm, GitHub, and over 90 developer tools.
The worm then used those stolen credentials to commit itself into any other repository the compromised account could access. This created a self-propagating loop that spread the malware across the Microsoft ecosystem without requiring any vulnerability in GitHub or npm itself.
The attack represents a shift in supply chain tactics. Previous malware targeted package installation hooks. Miasma activates when a developer simply opens a repository in an IDE or AI agent, regardless of whether any code is executed.
Operational Impact
The disabling of Azure/functions-action, an official GitHub Action for deploying Azure Functions, broke CI/CD pipelines across organizations relying on it. Critical Azure infrastructure and documentation repositories became inaccessible, causing widespread workflow disruptions.
The full scope of downstream impact remains unclear. Organizations that pulled code from affected repositories during the window between the malicious commit and GitHub's automated response may have introduced the worm into their own systems.
Links to Earlier Attacks
Security researchers linked Miasma to the Mini Shai-Hulud worm, released in May 2026. The same compromised contributor account appeared in both attacks, and the payloads shared significant similarities. The same threat group, TeamPCP, is suspected but not confirmed.
The May incident targeted the durabletask PyPI package directly. Three malicious versions were uploaded within 35 minutes using a stolen publishing token before Microsoft removed them. The June GitHub attack used the same compromised credentials to target the source repository.
What Organizations Should Do Now
Immediately rotate all credentials for accounts that had access to the affected repositories. This includes tokens and keys for AWS, Azure, GCP, Kubernetes, npm, and GitHub. Revoke and reissue all publishing tokens.
Audit all repositories for unauthorized commits, especially those containing configuration files for AI coding agents or large obfuscated JavaScript files. Restore repositories from known-good backups if suspicious activity is found.
Enforce multi-factor authentication for all contributors and maintainers. Invalidate all active sessions and tokens for compromised accounts.
Review CI/CD pipeline configurations to detect and block commits that include suspicious configuration files or use [skip ci] flags without clear justification. Implement strict access controls and regularly audit who has contributor access.
Educate developers about the risks of opening untrusted repositories in AI coding agents or IDEs. Encourage the use of isolated environments for reviewing external code before opening it in development tools.
Monitor for indicators of compromise, including connections to the C2 domain git-service[.]com and repositories with Miasma-themed naming patterns.
Broader Implications
The attack exposes a trust model problem in open-source development. Malicious activity from a legitimate maintainer account looks identical to routine updates from the platform's perspective. Traditional defenses focused on vulnerability scanning and dependency analysis miss attacks that rely on valid credentials and standard mechanisms.
The rise of AI coding agents introduces a new attack surface. These tools automatically explore unfamiliar repositories and execute code based on configuration files. Developers may not review what executes when they open a repository in Cursor or Claude Code the way they would if running a script manually.
This incident suggests that security practices built for the era of manual code review and deliberate package installation are insufficient. Organizations need detection systems that flag suspicious commits regardless of who pushes them, and developers need better visibility into what code executes in their development environments.
For professionals managing development infrastructure, the lesson is clear: assume credentials will be compromised. Build detection and response capabilities around that assumption, and treat repository access with the same rigor as production access.
Your membership also unlocks:
