Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack

Summary

The Miasma self-replicating supply chain attack campaign has compromised 73 Microsoft GitHub repositories across four organizations, including Azure and MicrosoftDocs. GitHub has disabled access to these repositories. This campaign notably re-compromised the 'durabletask' PyPI package and has been observed pushing malicious code directly to repositories, bypassing traditional registries.

Full text

Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Ravie LakshmananJun 06, 2026Supply Chain Attack / Malware Microsoft's GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, per OpenSourceMalware. The development has GitHub to disable access to those repositories. "Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service," reads the message when attempting to access the "Azure/azure-functions-host" repository. "If you are the owner of the repository, you may reach out to GitHub Support for more information." According to OpenSourceMalware, the incident impacts the following repositories - azure-search-openai-demo-purviewdatasecurity Connectors-NET-LSP Connectors-NET-SDK durabletask durabletask-dotnet durabletask-go durabletask-js durabletask-mssql functions-container-action homebrew-functions llm-fine-tuning windows-driver-docs What's notable about the latest campaign is the re-compromise of the "durabletask" PyPI package, which was infected by TeamPCP last month to deliver an information stealer on Linux systems. "A month later, not only is Azure/durabletask gone - so is every sibling repo in the Durable Task ecosystem, sitting one org over in Microsoft: the .NET, Go, Java, JS, MSSQL, Netherite, and protobuf implementations, plus the Durable Functions monitor," security researcher Paul McCarty (aka 6mile) said. "When the repo at the root of last month's compromise is the hub of this month's takedown, that is not a coincidence - that is the same wound reopening. Whoever held those credentials in May plausibly never fully lost them." Miasma is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. It has since continued to mutate and refine its tactics, even as it has infected more packages over the past couple of days, using various descriptions of the public repositories containing the stolen secrets - Miasma: The Spreading Blight Miasma : The Spreading Blight Miasma - The Spreading Blight Hades - The End for the Damned As of writing, there are 13 repositories with the description "Hades - The End for the Damned" and 82 repositories with the remaining three naming patterns. Miasma has also been observed skipping the npm registry entirely, with the threat actors pushing malicious code directly to "icflorescu/mantine-datatable" and four related repositories: "mantine-contextmenu," "next-server-actions-parallel," "mantine-datatable-v6," and "mantine-contextmenu-v6." "The commit added no dependencies. It planted a 4.3 MB payload runner and wired it to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script," SafeDep said. "The attack detonates when a developer clones one of the affected repos and opens it in an AI coding agent. The dropper is the same staged Bun loader, here repurposed for GitHub source-repo persistence rather than registry poisoning." These software supply chain attacks have exposed the underlying weaknesses in the trust model that forms the basis of software delivery in open-source ecosystems, making it one of the most significant and sustained campaigns observed to date. What separates the activity from other incidents is its ability to exponentially propagate across the ecosystem by compromising downstream users and repeating the same cycle. "The worm's genius and the reason conventional defences largely failed is that it operates entirely within legitimate channels. It does not exploit a vulnerability in npm or GitHub," FalconFeeds.io said. "It exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe." "Shai-Hulud compromises the key and the maintainer, then proceeds to act exactly as a legitimate publisher would. From the registry's perspective, every malicious publish event is indistinguishable from a routine update." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AI Coding, Azure, cybersecurity, GitHub, Malware, Microsoft, NPM, Open Source, PyPI, Supply Chain Attack ⚡ Top Stories This Week Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Malicious npm Package Stole Files From Claude AI User Directory via GitHub GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions ⭐ Featured Resources Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)

Indicators of Compromise

• malware — Miasma
• malware — Mini Shai-Hulud

Entities