Miasma Worm Compromises 73 Microsoft GitHub Repos in Supply Chain Attack

Key Takeaways

• Massive Microsoft‑GitHub compromise: 73 repositories across the Azure, Azure‑Samples, Microsoft, and MicrosoftDocs organizations were disabled by GitHub after being infected with the Miasma supply‑chain malware.
• Re‑infection of the durabletask ecosystem: The PyPI package durabletask (previously compromised in May 2026) and all its sibling repositories (.NET, Go, Java, JavaScript, MSSQL, Netherite, protobuf, and Durable Functions) were taken down again, indicating the attackers retained the original maintainer credentials.
• Miasma – a evolving worm: Miasma is a variant of the Mini Shai‑Hulud worm released by TeamPCP in mid‑May 2026. It has mutated, creating dozens of malicious public repositories with names such as “Miasma: The Spreading Blight” and “Hades – The End for the Damned.”
• Bypassing traditional defenses: The attack does not exploit a registry vulnerability; it abuses the trust model of GitHub and npm by using legitimate‑looking commits signed with stolen maintainer keys, making malicious publishes indistinguishable from routine updates.
• Persistence via developer tools: Malicious code is delivered as a 4.3 MB Bun‑based dropper that auto‑executes when a developer opens the cloned repo in AI‑assisted editors (Claude Code, Gemini CLI, Cursor, VS Code) or runs the npm test script, ensuring execution without adding new dependencies.
• Supply‑chain amplification: By compromising a upstream repository, the worm propagates downstream each time a user clones or depends on the infected code, creating a self‑replicating cycle that can rapidly expand across ecosystems.
• Lessons for defenders: Organizations must enforce strict credential hygiene (e.g., short‑lived tokens, MFA, credential rotation), monitor for anomalous commits even from trusted maintainers, enforce branch‑protection rules, and implement runtime detection for unexpected execution of bundled loaders in development environments.

Overview of the Miasma Campaign
In early June 2026, security researchers from OpenSourceMalware reported that Microsoft’s GitHub holdings had been hit by a widespread supply‑chain attack dubbed “Miasma.” The incident affected 73 repositories spread across four Microsoft‑owned GitHub organizations: Azure, Azure‑Samples, Microsoft, and MicrosoftDocs. When attempting to access any of the compromised repos—such as Azure/azure-functions-host—users encountered a GitHub staff notice stating that access had been disabled due to a terms‑of‑service violation. The list of impacted projects includes notable samples like azure-search-openai-demo-purviewdatasecurity, Connectors-NET-LSP, durabletask and its language‑specific forks, functions-container-action, homebrew-functions, llm-fine‑tuning, and windows-driver-docs.

The DurableTask Re‑Compromise
A particularly telling aspect of this wave is the re‑infection of the durabletask PyPI package. Last month, the same package had been hijacked by the threat group TeamPCP to distribute an information‑stealer targeting Linux systems. The current takedown erased not only the original durabletask repository but also every sibling repo in the Durable Task ecosystem housed under the Microsoft organization: the .NET, Go, Java, JavaScript, MSSQL, Netherite, and protobuf implementations, plus the Durable Functions monitor. Security researcher Paul McCarty (aka 6mile) observed that hitting the root repository again strongly suggests the attackers never lost the credentials used in the May compromise, allowing them to reopen the same wound a month later.

Miasma as a Mini Shai‑Hulud Variant
Miasma has been identified as a descendant of the Mini Shai‑Hulud worm that TeamPCP publicly released in mid‑May 2026. Since its debut, the worm has continued to mutate, refining its tactics while expanding its footprint. The latest iteration creates numerous malicious public repositories whose descriptions follow a handful of patterns:

• “Miasma: The Spreading Blight”
• “Miasma : The Spreading Blight” (note the extra space)
• “Miasma – The Spreading Blight”
• “Hades – The End for the Damned”

At the time of reporting, there were 13 repositories bearing the “Hades” description and 82 repositories using one of the three Miasma naming variants. These names serve as markers for the threat actors to track their proliferating footholds across the ecosystem.

Attack Vector Beyond npm Registries
Interestingly, Miasma has been observed sidestepping the traditional npm registry altogether. Instead of poisoning a package version, the threat actors pushed malicious code directly to specific GitHub repositories such as icflorescu/mantine-datatable and four related projects: mantine-contextmenu, next-server-actions-parallel, mantine-datatable-v6, and mantine-contextmenu-v6. The commit introduced no new dependencies; rather, it implanted a 4.3 MB payload runner—a staged Bun loader—that is wired to execute automatically through five commonly used developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script.

When a developer clones one of the affected repositories and opens it in any of these AI‑assisted editors or runs the test script, the dropper launches, executing the malicious payload without raising suspicion. Because the modification looks like a routine code change and is signed with a legitimate‑appearing maintainer key, both GitHub and npm treat it as a legitimate update, allowing the worm to slip past conventional signature‑based defenses.

Exploitation of the Trust Model
The core strength of Miasma lies in its abuse of the implicit trust that underpins open‑source software distribution. Platforms like GitHub and npm operate on the assumption that a package signed with a valid cryptographic key and published by an authenticated maintainer is safe. By compromising the maintainer’s credentials—whether through credential leakage, phishing, or reuse of previously stolen keys—the attackers can publish malicious updates that appear completely legitimate from the registry’s perspective. As FalconFeeds.io noted, “From the registry’s perspective, every malicious publish event is indistinguishable from a routine update.” This enables the worm to propagate exponentially: each downstream user who consumes the compromised code becomes a new vector for further infection when they, in turn, publish or share derived works.

Implications and Recommendations
The Miasma campaign underscores several critical weaknesses in current software supply‑chain defenses:

1. Credential Security: Long‑lived API keys or personal access tokens that are not rotated regularly present a high‑value target. Organizations should adopt short‑lived tokens, enforce MFA, and implement automated credential‑rotation pipelines.
2. Commit‑Level Monitoring: Trusting a commit solely because it originates from a known maintainer is insufficient. Real‑time inspection of commit contents for anomalous binaries, unusually large files, or scripts that auto‑execute in developer tooling is essential.
3. Branch Protection and PR Policies: Enforcing required reviews, status checks, and prohibiting force‑pushes on main branches can reduce the risk of malicious commits slipping through unnoticed.
4. Runtime Detection in Development Environments: Since the payload executes when a repo is opened in AI‑assisted editors or via test scripts, endpoint‑based behavior monitoring that flags unexpected execution of bundled loaders (e.g., Bun‑based runners) can help detect compromise early.
5. Supply‑Chain SBOM and Provenance Tracking: Maintaining detailed Software Bills of Materials (SBOMs) and verifying provenance through signed attestations (e.g., Sigstore, in‑toto) adds a layer of verification that can catch discrepancies between expected and actual artifacts.

By addressing these areas, development teams can reduce the likelihood that a trusted repository becomes a launchpad for a self‑replicating worm like Miasma, thereby preserving the integrity of the broader open‑source ecosystem.

Conclusion
The Miasma supply‑chain attack represents a sophisticated, evolving threat that leverages stolen maintainer credentials to push malicious code through legitimate channels, bypassing traditional vulnerability‑focused defenses. Its ability to re‑infect previously compromised projects—exemplified by the durabletask ecosystem—demonstrates the persistence of the adversary and the inadequacy of static trust models. As the worm continues to mutate and spread via developer tools and AI‑assisted coding environments, organizations must adopt a holistic security posture that combines robust credential hygiene, vigilant commit monitoring, strict branch protections, runtime behavior detection, and provenance verification. Only through such layered defenses can the open‑source community hope to contain and ultimately eradicate campaigns like Miasma.