Back

Miasma Worm Compromises 73 Microsoft GitHub Repositories

Severity: High (Score: 67.5)

Sources: Gbhackers, Darkreading, www.stepsecurity.io, Cybersecuritynews, Thenewstack

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: microsoft, worm, repositories, github, packages, weaponized, deploy

Severity indicators: weaponized, malware, worm, stealer, password stealer

Summary

On June 8, 2026, Microsoft disabled 73 GitHub repositories after a malware attack linked to the Miasma supply chain worm. The attack exploited a compromised GitHub account, which had previously been involved in a May incident where malicious versions of Microsoft's durabletask Python SDK were published. The Miasma worm disrupted CI/CD workflows globally, affecting organizations using the Azure/functions-action GitHub Action. Researchers from StepSecurity confirmed that the same contributor account was used in both incidents, suggesting inadequate credential rotation. Microsoft has not disclosed the number of affected developers but has restored the repositories after investigation. The incident highlights ongoing vulnerabilities in software supply chains and the need for improved security measures. Key Points: • 73 Microsoft GitHub repositories were disabled due to a malware attack on June 8, 2026. • The Miasma worm disrupted CI/CD workflows globally, impacting Azure Functions deployments. • The attack is linked to a previous incident involving compromised publishing credentials for a Python SDK.

Detailed Analysis

**Impact** Seventy-three Microsoft GitHub repositories were compromised, primarily affecting the Azure Functions ecosystem and disrupting CI/CD workflows globally. The compromised durabletask Python SDK, downloaded approximately 400,000 times monthly, was weaponized to deploy malware stealing credentials and secrets. Microsoft notified a small number of customers who may have pulled affected content, but the total number of impacted developers remains undisclosed. The attack affected organizations worldwide relying on these repositories and GitHub Actions. **Technical Details** The attack involved a variant of the Mini Shai-Hulud worm called Miasma, which propagated through compromised contributor accounts and authentication tokens. The threat actor TeamPCP published three malicious versions of Microsoft's durabletask Python SDK on PyPI, embedding a modular cloud intrusion framework "rope.pyz" capable of credential theft and destructive payloads. The worm spread rapidly, infecting 73 repositories within 105 seconds, exploiting token-based trust in publishing pipelines without exploiting known CVEs. Malicious commits were made using compromised or spoofed contributor credentials. **Recommended Response** Defenders should immediately rotate all credentials and authentication tokens associated with affected repositories and PyPI packages. Implement strict behavioral anomaly detection for publishing pipelines and enforce multi-factor authentication on contributor accounts. Monitor for unusual commit activity and unauthorized package uploads, and block indicators related to the Miasma worm and TeamPCP infrastructure where available. Microsoft and other organizations should verify complete remediation before restoring repository access.

Source articles (5)

  • Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories — Darkreading · 2026-06-09
    The attacks stemmed from a GitHub account that was also compromised in a Miasmi attack on Microsoft last month. A variant of the infamous Shai-Hulud worm wreaked havoc on Microsoft's code repositories…
  • 73 Microsoft Packages Weaponized to Deploy Password Stealer Malware — Cybersecuritynews · 2026-06-10
    Seventy-three Microsoft repositories on GitHub were suddenly disabled on June 8, 2026, after a self-replicating worm infected a large portion of the company’s Azure Functions ecosystem. The entire swe…
  • 73 Microsoft Packages Weaponized in Password Stealer Attack — Gbhackers · 2026-06-10
    GitHub disabled 73 repositories across four Microsoft organizations Azure, Azure-Samples, microsoft, and MicrosoftDocs inside a 105-second window. Each repo now shows GitHub’s “This repository has bee…
  • Microsoft pulled 73 GitHub repos after malware attack — but still won't say who's compromised — Thenewstack · 2026-06-10
    As reported by 404 Media , researchers from StepSecurity stated the affected GitHub repositories were shuttered after a malicious commit was uploaded to the durabletask repository. Microsoft still has…
  • Microsofts Durabletask Pypi Package Compromised In Supply Chain Attack — www.stepsecurity.io · 2026-06-09

Timeline

  • 2026-05-19 — Malicious versions of durabletask SDK published: Three poisoned versions of Microsoft's durabletask Python SDK were uploaded to PyPI, compromising the package.
  • 2026-06-08 — 73 GitHub repositories disabled: Microsoft disabled 73 repositories after a malicious commit linked to the Miasma worm was uploaded.
  • 2026-06-10 — Microsoft confirms repository restoration: Microsoft announced that the disabled repositories have been restored after reviewing potential malicious content.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Worm (Attack Type)
  • Anthropic (Company)
  • Google (Company)
  • Microsoft (Company)
  • Red Hat (Company)
  • Azure (Company)
  • Cursor (Company)
  • attacks.in (Domain)
  • Miasma (Malware)
  • Miasma Worm (Malware)
  • Mini Shai-Hulud (Malware)
  • Shai-hulud (Malware)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1550 - Use Alternate Authentication Material (Mitre Attack)
  • Azure Functions (Platform)
  • GitHub (Platform)
  • PyPI (Platform)
  • Visual Studio Code (Platform)
  • Claude Code (Tool)
  • Gemini CLI (Tool)
  • Npm (Tool)
  • Rope.pyz (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed