Back

Miasma Worm Compromises 73 Microsoft GitHub Repositories in Supply Chain Attack

Severity: High (Score: 71.0)

Sources: Thehackernews, unsafe.sh, Ground.News

Published: 2026-06-07 · Updated: 2026-06-07

Keywords: microsoft, repositories, github, miasma, supply, chain, attack

Severity indicators: supply chain attack, supply chain, worm

Summary

The Miasma worm has infected 73 Microsoft GitHub repositories, including those from Azure and MicrosoftDocs. GitHub has disabled access to these repositories following the attack, which is part of an ongoing supply chain campaign. The worm is a self-replicating variant of the Mini Shai-Hulud worm and has been observed planting malicious code that harvests developer credentials. This incident follows a previous compromise of the 'durabletask' PyPI package last month, indicating a recurring vulnerability. The attack exploits legitimate channels, making it difficult for conventional defenses to detect. As of now, the worm has created numerous public repositories with malicious payloads, further spreading the threat across the ecosystem. Key Points: • 73 Microsoft GitHub repositories were compromised by the Miasma worm. • The attack is part of a larger supply chain campaign affecting open-source ecosystems. • Malicious code was designed to harvest developer credentials and propagate through legitimate channels.

Detailed Analysis

**Impact** The Miasma worm compromised 73 Microsoft GitHub repositories across four organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The attack affected multiple critical development ecosystems, including .NET, Go, Java, JavaScript, MSSQL, and protobuf implementations, as well as the Durable Task ecosystem. Developer credentials and secrets were harvested, posing risks to software supply chains and downstream users globally. GitHub disabled access to the affected repositories to contain the incident. **Technical Details** The attack uses a self-replicating worm variant of Mini Shai-Hulud, which operates by compromising maintainer credentials rather than exploiting software vulnerabilities. Malicious code was planted directly in source repositories, bypassing npm registry poisoning, with payloads executed through developer tools such as Claude Code, Gemini CLI, Cursor, VS Code, and npm test scripts. The worm deploys a 4.3 MB staged Bun loader payload and creates repositories with names like "Hades - The End for the Damned" to distribute stolen secrets. No CVEs exploited were reported. **Recommended Response** Immediately audit and revoke compromised credentials associated with affected repositories and enforce multi-factor authentication for maintainers. Monitor for unusual repository creation patterns and unauthorized commits, especially those linked to developer tools execution. Disable or isolate affected repositories and scan developer environments for the Bun loader payload. Enhance detection capabilities to identify legitimate-signed but malicious commits and monitor for suspicious activity in GitHub organizations.

Source articles (3)

  • Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack — Thehackernews · 2026-06-06
    Microsoft's GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four o…
  • Self — Ground.News · 2026-06-06
    The self-replicating Miasma worm has reached Microsoft‘s own GitHub repositories. GitHub disabled 73 repositories across four Microsoft organisations, including Azure, Azure-Samples, Microsoft, and Mi…
  • Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack — unsafe.sh · 2026-06-07
    Microsoft's GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four o…

Timeline

  • 2026-05-01 — durabletask PyPI package compromised: The 'durabletask' package was infected by TeamPCP to deliver an information stealer on Linux systems.
  • 2026-06-06 — Miasma worm detected in Microsoft repositories: GitHub disabled access to 73 repositories across four Microsoft organizations due to the Miasma worm infection.
  • 2026-06-07 — Miasma worm attack reported: The ongoing Miasma self-replicating supply chain attack was detailed, highlighting its impact on Microsoft GitHub repositories.

Related entities

  • TeamPCP (Apt Group)
  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Worm (Attack Type)
  • Miasma (Malware)
  • Miasma Worm (Malware)
  • Mini Shai-Hulud Worm (Malware)
  • Azure (Company)
  • Azure-Samples (Company)
  • Microsoft (Company)
  • MicrosoftDocs (Company)
  • Cursor (Company)
  • falconfeeds.io (Domain)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • GitHub (Platform)
  • Linux (Platform)
  • Bun Loader (Tool)
  • Claude Code (Tool)
  • Gemini CLI (Tool)
  • VS Code (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed