Back

Miasma Worm Compromises 73 Microsoft GitHub Repositories

Severity: High (Score: 68.0)

Sources: Feeds.4Sysops, Securityaffairs.Co, Mlq.Ai

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: miasma, worm, microsoft, github, repositories, compromises, coding

Severity indicators: worm

Summary

The Miasma worm has compromised 73 Microsoft GitHub repositories, prompting Microsoft to disable them. The worm spreads through AI coding tools and has been reported to steal cloud credentials from developers and CI/CD systems. Critical projects affected include the Azure durabletask Python package and core Azure infrastructure components. This incident marks a significant escalation in supply chain attacks targeting the open-source ecosystem. Microsoft has taken immediate action to mitigate the threat by disabling the compromised repositories. The attack highlights vulnerabilities in developer environments and the risks associated with AI-assisted coding tools. As of now, the situation is ongoing, and further investigations are likely to follow. Key Points: • Miasma worm compromised 73 Microsoft GitHub repositories, affecting critical Azure projects. • The attack utilized AI coding tools to spread and steal cloud credentials from developers. • Microsoft has temporarily disabled the affected repositories to mitigate the threat.

Detailed Analysis

**Impact** Seventy-three Microsoft GitHub repositories were compromised, including critical projects such as the Azure durabletask Python package, azure-functions-host, and the entire Durable Task family. The attack affected core Azure infrastructure and developer environments, potentially exposing cloud credentials and impacting Microsoft’s cloud services globally. This incident disrupts development workflows and poses risks to the broader open-source supply chain ecosystem. **Technical Details** The Miasma worm is a self-replicating malware that spread via AI coding tools by leveraging compromised contributor credentials. It injected malicious code into repositories and stole cloud credentials from developers and CI/CD systems. Microsoft disabled the affected repositories to contain the spread. No CVEs or specific infrastructure details were provided in the articles. **Recommended Response** Immediately audit and revoke compromised contributor credentials and rotate all affected cloud credentials. Monitor for unusual activity in CI/CD pipelines and developer environments, focusing on AI coding tool integrations. Harden access controls on repositories and enforce multi-factor authentication. No specific patches or IOCs were provided; defenders should monitor for worm-like propagation behavior and unauthorized code injections.

Source articles (3)

  • Miasma Worm Compromises 73 Microsoft GitHub Repositories — Securityaffairs.Co · 2026-06-09
    The Miasma worm compromised 73 Microsoft GitHub repos, spreading via AI coding tools and stealing cloud credentials from developers and CI/CD systems. A self-replicating worm called Miasma has comprom…
  • Miasma Worm Hits 73 Microsoft GitHub Repos in Second Supply — Mlq.Ai · 2026-06-09
    GitHub disabled 73 Microsoft-owned repositories on June 5 after a compromised contributor account pushed credential-harvesting malware into the Azure/durabletask project, the second time in three week…
  • Miasma worm compromises Microsoft GitHub repositories via AI coding tools — Feeds.4Sysops · 2026-06-09
    Microsoft has temporarily disabled 73 of its GitHub repositories across organizations like Azure and MicrosoftDocs following a compromise by the self-replicating Miasma worm. The attack utilized compr…

Timeline

  • 2026-06-09 — Miasma worm compromises GitHub repositories: The Miasma worm was confirmed to have compromised 73 Microsoft GitHub repositories, leading to their temporary disablement.
  • 2026-06-09 — Microsoft disables affected repositories: Microsoft disabled the compromised repositories, including critical Azure infrastructure components, to prevent further damage.

Related entities

  • TeamPCP (Apt Group)
  • Supply Chain Attack (Attack Type)
  • Worm (Attack Type)
  • Miasma Worm Campaign (Campaign)
  • GitHub (Platform)
  • Azure Functions (Platform)
  • Kubernetes (Platform)
  • PyPI (Platform)
  • Microsoft (Company)
  • Azure (Company)
  • Cursor (Company)
  • Technology (Industry)
  • Miasma (Malware)
  • Miasma Worm (Malware)
  • Mini Shai-Hulud Worm (Malware)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • Claude Code (Tool)
  • Docker (Tool)
  • Gemini CLI (Tool)
  • Npm (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed