Miasma Worm Compromises Microsoft GitHub Repositories in Sophisticated Supply Chain Attack

Microsoft's GitHub repositories have become the latest victims in the ongoing Miasma self-replicating supply chain attack campaign, with 73 repositories across four of its GitHub organizations being compromised. According to security researchers at OpenSourceMalware, the affected repositories include those from Azure, Azure-Samples, Microsoft, and MicrosoftDocs, prompting GitHub to disable access to these repositories due to terms of service violations.

When attempting to access the compromised "Azure/azure-functions-host" repository, users now see a message stating: "Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service. If you are the owner of the repository, you may reach out to GitHub Support for more information."

Among the repositories impacted are several high-profile projects including azure-search-openai-demo-purviewdatasecurity, Connectors-NET-LSP, durabletask, durabletask-dotnet, durabletask-go, durabletask-js, durabletask-mssql, functions-container-action, homebrew-functions, llm-fine-tuning, and windows-driver-docs.

Re-compromise of Previously Infected Infrastructure

What makes this campaign particularly concerning is the re-compromise of the "durabletask" PyPI package, which was previously infected by TeamPCP just last month to deliver an information stealer targeting Linux systems. Security researcher Paul McCarty (aka 6mile) highlighted the significance of this development:

"A month later, not only is Azure/durabletask gone - so is every sibling repo in the Durable Task ecosystem, sitting one org over in Microsoft: the .NET, Go, Java, JS, MSSQL, Netherite, and protobuf implementations, plus the Durable Functions monitor. When the repo at the root of last month's compromise is the hub of this month's takedown, that is not a coincidence - that is the same wound reopening. Whoever held those credentials in May plausibly never fully lost them."

Evolution of the Miasma Worm

Miasma is now assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. The campaign has continued to mutate and refine its tactics, with attackers creating numerous repositories containing stolen secrets. As of the latest reports, there are 13 repositories with the description "Hades - The End for the Damned" and 82 repositories with variations of "Miasma: The Spreading Blight."

Notably, the attackers have demonstrated adaptability by sometimes skipping the npm registry entirely. In one case, they pushed malicious code directly to "icflorescu/mantine-datatable" and four related repositories: "mantine-contextmenu," "next-server-actions-parallel," "mantine-datatable-v6," and "mantine-contextmenu-v6."

Technical Analysis of the Attack Vector

According to researchers at SafeDep, the attack method is particularly insidious:

"The commit added no dependencies. It planted a 4.3 MB payload runner and wired it to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script. The attack detonates when a developer clones one of the affected repos and opens it in an AI coding agent. The dropper is the same staged Bun loader, here repurposed for GitHub source-repo persistence rather than registry poisoning."

This approach represents a sophisticated evolution in supply chain attacks, leveraging the increasing integration of AI coding assistants into developer workflows.

Exploiting the Trust Model

These software supply chain attacks have exposed fundamental weaknesses in the trust model that underpins software delivery in open-source ecosystems. FalconFeeds.io provided critical insight into why conventional defenses have been largely ineffective against such attacks:

"The worm's genius and the reason conventional defences largely failed is that it operates entirely within legitimate channels. It does not exploit a vulnerability in npm or GitHub. It exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe."

The researchers further explained that the attackers compromise both the key and the maintainer, then proceed to act exactly as legitimate publishers would. From the registry's perspective, every malicious publish event is indistinguishable from a routine update.

Practical Mitigation Strategies

For organizations and developers concerned about such supply chain attacks, several defensive measures should be considered:

1. Implement strict code signing requirements for all packages and repositories
2. Adopt multi-factor authentication for all developer accounts and privileged access
3. Regularly audit repository permissions and access controls
4. Monitor for unusual commit patterns or unexpected changes in popular repositories
5. Use dependency scanning tools that can detect suspicious code changes
6. Limit the use of automated tools that execute code automatically when repositories are cloned
7. Educate developers about the risks of using AI coding assistants with untrusted repositories

Broader Implications for the Open-Source Ecosystem

This attack represents one of the most significant and sustained supply chain campaigns observed to date, demonstrating how threat actors can exponentially propagate across ecosystems by compromising downstream users and repeating the attack cycle. The ability of the Miasma worm to compromise high-profile Microsoft repositories underscores the systemic nature of this threat.

As open-source software becomes increasingly critical to infrastructure worldwide, the industry must develop more robust authentication and verification mechanisms that cannot be easily bypassed through compromised credentials. The current trust model, while convenient, appears fundamentally vulnerable to sophisticated attackers who can maintain persistence through legitimate channels.

The Miasma campaign serves as a stark reminder that security in the open-source ecosystem requires not just technological solutions but also improved practices around credential management, access controls, and continuous monitoring of the software supply chain.