Miasma Worm Campaign Reaches Microsoft’s GitHub Organizations

The self-replicating Miasma worm campaign escalated into Microsoft’s Azure GitHub organizations, leading GitHub to disable 73 repositories across four Microsoft organizations in an automated sweep that lasted 105 seconds.

The repositories were disabled across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations. GitHub’s automated systems marked them with a terms-of-service violation between 16:00:50 and 16:02:35 UTC on June 5, 2026.

The incident represents another stage in a broader supply chain attack that began earlier with compromised Red Hat npm packages. What makes this phase especially notable is the shift in targeting: instead of focusing only on poisoned package releases, the campaign moved into GitHub repositories and developer tooling workflows.

How the Microsoft GitHub Repository Attack Unfolded

The attack began with a previously compromised contributor account that pushed a malicious commit into the Azure/durabletask repository. That commit planted configuration files designed to trigger a credential-harvesting payload when developers opened the repository in AI coding tools.

The affected development environments included:

  • Claude Code
  • Gemini CLI
  • Cursor
  • VS Code

This made the attack different from a conventional dependency compromise. The payload was not simply hidden inside a package waiting to be installed. It was placed in repository configuration files that could be activated through the behavior of modern AI-assisted coding environments.

That matters because these tools often interact deeply with project files. And when a repository contains malicious configuration, developers may be exposed simply by opening or working with the project in a supported coding assistant or editor workflow.

GitHub’s 105-Second Automated Repository Sweep

GitHub responded by disabling 73 repositories in a rapid automated action. The takedown window lasted from 16:00:50 to 16:02:35 UTC, covering repositories across four Microsoft-linked GitHub organizations.

The disabled repositories included the widely used Azure Functions Action. That disruption created potential deployment issues for developers who reference the action using mutable tags instead of pinned commit hashes.

The distinction is important. A mutable tag can change over time, meaning a workflow may pull whatever code the tag points to at the moment it runs. A pinned full commit SHA, by contrast, locks the workflow to a specific version of the action. In this incident, developers relying on mutable tags were more exposed to disruption when the repository became unavailable.

Azure Functions Action Disruption and Deployment Risk

The disabling of Azure Functions Action affected deployment workflows that depended on the repository being available. Developers using the action through mutable tags faced a direct interruption risk because their workflows depended on a moving reference rather than a fixed commit.

Organizations using affected Azure GitHub Actions were advised to pin actions to full commit SHAs. They were also advised to rotate Azure CLI tokens and managed-identity credentials, especially where those credentials may have been accessible through affected workflows or developer environments.

Until the repositories are restored, affected organizations were also advised to use alternative deployment methods, including Azure CLI or Zip Deploy.

Miasma’s Origins in the Red Hat npm Compromise

The Miasma campaign first surfaced when malicious code was identified in at least 32 package releases under the @redhat-cloud-services npm namespace.

Those packages contained a 4.2 MB obfuscated JavaScript payload. The payload was triggered by an npm preinstall hook, allowing it to harvest credentials and then propagate itself to other packages the victim had permission to publish.

Microsoft’s own security blog described the campaign as having compromised more than 90 versions of Red Hat packages. The root cause was traced to a compromised Red Hat employee GitHub account that was used to push unauthorized commits that bypassed code review.

The malware is derived from the Mini Shai-Hulud worm, which the group TeamPCP open-sourced in May 2026.

Credential Harvesting and Self-Propagation

Miasma’s behavior follows a dangerous pattern for software supply chain attacks: steal credentials, then use those credentials to spread.

In the Red Hat npm compromise, the malicious payload harvested credentials through the npm preinstall process. Once it gained access, it could propagate to other packages that the victim was able to publish.

In the Microsoft GitHub repository incident, the campaign evolved by targeting AI coding agents and repository configuration files. This approach expanded the attack surface beyond package installation and into everyday development workflows.

The same contributor account tied to the Microsoft repository compromise had also been previously linked to three malicious versions of Microsoft’s durabletask PyPI package uploaded on May 19.

Why AI Coding Tools Became the New Attack Surface

The Microsoft repository compromise shows how attackers are adapting to the way developers now work. AI coding assistants and editor-integrated tools can read configuration files, run project commands, and interact with codebases in ways that create new opportunities for abuse.

Rather than poisoning only a package registry, the attacker planted configuration files aimed at AI coding assistants. That shift matters because it targets the moment a developer opens or works with a repository, not just the moment a dependency is installed.

This turns trusted development environments into a potential execution path. And honestly, that’s what makes this kind of campaign so uncomfortable: the workflow itself becomes the target.

The tools named in the incident — Claude Code, Gemini CLI, Cursor, and VS Code — are part of the modern developer stack. When malicious configuration files are placed inside a repository, the risk moves closer to routine coding activity.

Organizations using affected Azure GitHub Actions were advised to take immediate defensive steps. The key recommendations focused on reducing dependency on mutable references, rotating credentials, and using alternative deployment paths while repositories remain unavailable.

Pin GitHub Actions to Full Commit SHAs

Teams should pin actions to full commit SHAs rather than relying on mutable tags. This creates a fixed reference point and reduces exposure when tags or upstream repositories change unexpectedly.

Rotate Azure CLI Tokens and Managed-Identity Credentials

Azure CLI tokens and managed-identity credentials should be rotated. This is especially important where credentials may have been exposed through compromised repository workflows, developer tools, or automated deployment processes.

Use Alternative Deployment Methods

Until affected repositories are restored, organizations were advised to deploy through other methods, including Azure CLI or Zip Deploy.

These steps do not change the fact that the campaign has already moved across multiple ecosystems. But they do help limit the blast radius for teams depending on affected Azure GitHub Actions.

Broader Supply Chain Security Impact

The Microsoft repository incident marks a tactical evolution in the Miasma campaign. It began with compromised Red Hat npm packages, then moved into Microsoft-linked GitHub repositories and AI coding tool configuration.

That progression shows how modern software supply chain attacks are no longer limited to one ecosystem, one package manager, or one dependency path. The campaign touched npm packages, PyPI package activity, GitHub repositories, Azure deployment workflows, and AI-assisted developer environments.

The Miasma worm’s ability to harvest credentials and self-propagate makes repository hygiene, credential rotation, and pinned dependencies more than best practices. In this kind of campaign, they become practical containment measures.