Back

Miasma Worm Compromises 73 Microsoft Repositories, Deploys Malicious Code

Severity: High (Score: 68.0)

Sources: Cybersecuritynews, Darkreading, www.stepsecurity.io

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: microsoft, worm, repositories, github, packages, weaponized, deploy

Severity indicators: weaponized, malware, worm, stealer, password stealer

Summary

On June 8, 2026, a self-replicating worm named Miasma infected 73 Microsoft repositories on GitHub, leading to their immediate shutdown. The attack originated from a compromised GitHub account linked to a previous incident involving Microsoft's PyPI package. The worm disrupted CI/CD workflows globally, particularly affecting Azure Functions due to the disabling of the Azure/functions-action. The Miasma worm is a variant of the Mini Shai-Hulud worm, which had previously targeted Red Hat npm packages. Microsoft confirmed the compromise of its durabletask Python SDK, which had been downloaded 400,000 times monthly before being taken down. The attack raised concerns about the security of software supply chains and the effectiveness of Microsoft's response to prior incidents. Researchers connected the worm's propagation to TeamPCP, a group known for similar attacks. The incident highlights the vulnerabilities within the software development lifecycle and the need for improved security measures. Key Points: • 73 Microsoft repositories were disabled due to a self-replicating worm attack. • The Miasma worm disrupted CI/CD workflows globally, particularly affecting Azure Functions. • The attack is linked to a compromised GitHub account and previous incidents involving Microsoft packages.

Detailed Analysis

**Impact** Seventy-three Microsoft GitHub repositories, primarily related to the Azure Functions ecosystem, were compromised and temporarily disabled, disrupting CI/CD workflows globally. The affected repositories included widely used components such as Azure/functions-action, which halted workflows referencing it. The compromised Microsoft durabletask Python SDK package on PyPI, downloaded approximately 400,000 times monthly, contained malicious code capable of stealing credentials and deploying destructive payloads, potentially impacting organizations worldwide that rely on these tools. **Technical Details** The attack involved a variant of the Mini Shai-Hulud worm called Miasma, which propagated via compromised contributor accounts and authentication tokens. The attackers bypassed build pipelines and injected malicious commits into official Microsoft repositories, deploying a modular cloud intrusion framework named "rope.pyz" capable of secret theft and wiper functionality. The attack unfolded rapidly, with all 73 repositories flagged and disabled within 105 seconds on June 8, 2026. No specific CVEs were mentioned in the reports. **Recommended Response** Organizations should immediately audit and rotate credentials and authentication tokens associated with affected repositories and contributor accounts. Monitor for unusual activity involving Azure/functions-action and durabletask Python SDK usage. Implement strict access controls and review CI/CD pipeline security configurations to prevent unauthorized commits. Microsoft and downstream users should track updates from official sources for restored and verified repository versions.

Source articles (3)

  • Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories — Darkreading · 2026-06-09
    The attacks stemmed from a GitHub account that was also compromised in a Miasmi attack on Microsoft last month. A variant of the infamous Shai-Hulud worm wreaked havoc on Microsoft's code repositories…
  • 73 Microsoft Packages Weaponized to Deploy Password Stealer Malware — Cybersecuritynews · 2026-06-10
    Seventy-three Microsoft repositories on GitHub were suddenly disabled on June 8, 2026, after a self-replicating worm infected a large portion of the company’s Azure Functions ecosystem. The entire swe…
  • Microsofts Durabletask Pypi Package Compromised In Supply Chain Attack — www.stepsecurity.io · 2026-06-09

Timeline

  • 2026-05-19 — Compromised Microsoft PyPI package published: Three poisoned versions of the durabletask Python SDK were uploaded, containing malicious code.
  • 2026-06-08 — 73 Microsoft repositories disabled: A self-replicating worm infected repositories, leading to their shutdown in just 105 seconds.
  • 2026-06-09 — Research confirms Miasma worm's connection to TeamPCP: StepSecurity linked the Miasma worm to previous attacks by TeamPCP, highlighting ongoing supply chain threats.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Worm (Attack Type)
  • Anthropic (Company)
  • Google (Company)
  • Microsoft (Company)
  • Red Hat (Company)
  • Cursor (Company)
  • attacks.in (Domain)
  • Miasma (Malware)
  • Mini Shai-Hulud (Malware)
  • Shai-hulud (Malware)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1550 - Use Alternate Authentication Material (Mitre Attack)
  • Azure Functions (Platform)
  • GitHub (Platform)
  • PyPI (Platform)
  • Visual Studio Code (Platform)
  • Claude Code (Tool)
  • Gemini CLI (Tool)
  • Npm (Tool)
  • Rope.pyz (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed