← Back to SecLog

Suspected Miasma worm compromises more than 70 Microsoft GitHub repositories and breaks Azure CI/CD workflows

Updated: 2026.06.10 3H ago 5 sources
Malware Supply Chain
GitHub disabled more than 70 Microsoft repositories after attackers allegedly used a compromised contributor account to push malicious commits into projects including Azure/durabletask and Azure/functions-action. StepSecurity says the Miasma worm planted configuration files that could trigger remote code execution when a developer opened the repository in an integrated development environment or AI coding tool such as Claude Code, Gemini CLI, or Cursor, and the takedowns disrupted workflows that depended on Azure/functions-action@v1.
Why it matters: This affects developers and organizations that rely on Microsoft's open-source Azure tooling, with both supply-chain risk and immediate build-pipeline disruption. Teams using the affected repositories should review recent commits, rotate contributor and automation tokens, check developer machines for malicious config execution, and verify dependencies before restoring pipelines.

Sources

The ‘Miasma’ worm source code briefly leaked on GitHub
Bill Toulas 2026.06.10 82% relevant
This article adds specific technical detail about the same Miasma campaign family linked to the Microsoft repository compromises, including that the source code was deliberately leaked via compromised GitHub accounts, how it steals cloud and CI/CD secrets, abuses GitHub as its control channel, targets npm, PyPI, RubyGems and JFrog Artifactory, and includes a destructive dead-man switch that wipes files if a stolen GitHub token is revoked.
Miasma worms its way onto GitHub as attack kit goes open source
2026.06.09 95% relevant
This is a direct update on the same Miasma campaign, adding that the worm's full attack toolkit was open sourced via GitHub using previously compromised accounts, with new technical detail on its capabilities across GitHub, package registries, Artifactory, GitHub Actions, AI tool config poisoning, SSH lateral movement, and GitHub-based command-and-control.
GitHub disables Microsoft repos pushing password-stealing malware
Bill Toulas 2026.06.09 99% relevant
This article is a direct update on the same June 5 Microsoft GitHub repository compromise, adding that GitHub disabled 73 repositories for 105 seconds, Microsoft has restored them, notified a small number of potentially affected customers, and BleepingComputer ties the incident more concretely to the Miasma/Shai-Hulud supply-chain campaign and the earlier durabletask compromise.
Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks
Ionut Arghire 2026.06.09 68% relevant
The article ties the Miasma variant to the broader Shai-Hulud family and notes it emerged after the worm source code was released, helping connect the malware lineage behind related GitHub and CI/CD compromise activity.
GitHub nukes 70+ Microsoft repos, breaks CI/CD pipelines, following suspected worm infections
2026.06.08 100% relevant
The article establishes a distinct Microsoft-focused compromise event: a suspected Miasma worm infection of 73 GitHub repositories that triggered GitHub takedowns and caused downstream Azure CI/CD failures, even if it is related to the broader Mini Shai-Hulud lineage.
← Back to all stories