GitHub Disabled 70+ Microsoft Repos After Miasma Supply-Chain Malware Hit AI Dev Tools
GitHub disabled more than 70 Microsoft-owned repositories after detecting a suspected Miasma worm campaign that inserted malicious code into open source projects and disrupted dependent CI/CD workflows. Researchers said the incident began with a compromised contributor account pushing a malicious commit to Azure/durabletask, adding configuration files that could trigger remote code execution when developers opened the repository in IDEs or AI coding tools including Claude Code, Gemini CLI, and Cursor. Microsoft’s response was unusual because it shut down its own repositories rather than only removing the offending content, and GitHub reportedly disabled 73 repositories in rapid succession after automated detections fired.
The activity appears tied to a broader supply-chain operation linked to earlier compromises of Microsoft’s durabletask PyPI package and to a newer campaign tracked by StepSecurity as Hades, which it describes as an evolution of Miasma. StepSecurity said the malware uses obfuscated Python import hooks to fetch additional payloads, scrape memory across Linux, macOS, and Windows, steal cloud and developer credentials, abuse GitHub Actions and OIDC/Sigstore workflows, move laterally over SSH/SCP, and backdoor IDE and AI assistant configuration files. The campaign also reportedly uses GitHub-based command-and-control and includes a token-monitoring component that can trigger a destructive wiper if a stolen GitHub token is revoked, underscoring the risk to software supply chains and AI-assisted development environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Attackers publish 32 malicious npm packages via Red Hat namespace abuse
Researchers said the Miasma campaign compromised a Red Hat employee’s GitHub account, abused the @redhat-cloud-services npm namespace, and used legitimate GitHub OIDC tokens to publish 32 malicious npm package versions with valid SLSA provenance attestations. The releases appeared trusted to standard scanners, illustrating a supply-chain trust abuse rather than exploitation of a GitHub or npm vulnerability.
Microsoft says all affected GitHub repos were restored and are safe
Microsoft said that after its investigation, all affected repositories disabled on June 5 were restored and are now considered clean and safe to use. The statement updates the earlier status in which only some repositories had been restored while others remained offline.
Microsoft restores some repos and notifies potentially affected customers
Microsoft said some of the disabled GitHub-hosted repositories were restored after review while others remained offline during the investigation. The company also said it notified a small number of potentially affected customers about the compromise.
StepSecurity demo detects malware reading GitHub Actions runner memory
During a demonstration run, StepSecurity reported that its Harden-Runner product detected and blocked the malware's attempt to read GitHub Actions Runner.Worker memory. This provided an observed example of the campaign's credential- and secret-theft behavior.
StepSecurity identifies Hades Campaign PyPI compromises
On June 8, multiple PyPI packages, including ensmallen 0.8.101, were identified as compromised in a supply-chain operation tracked as the Hades Campaign. StepSecurity described the campaign as an evolution of the Miasma threat actor using obfuscated import hooks, GitHub-based C2 and exfiltration, SSH/SCP worm-like spread, GitHub Actions abuse, and AI-tooling backdoors.
Compromised contributor account pushes malicious commit to Azure/durabletask
The incident was reported to have begun when a compromised contributor account pushed a malicious commit to Azure/durabletask. The commit added configuration files that could trigger remote code execution when developers opened the repository in IDEs or AI coding tools such as Claude Code, Gemini CLI, and Cursor.
GitHub disables 73 Microsoft repositories after worm detections
On June 5, automated detections triggered a takedown of Microsoft repositories after signs of the Miasma worm were found. Reporting says GitHub disabled 73 repositories in two waves within 105 seconds, disrupting CI/CD pipelines including dependencies on Azure/functions-action@v1.
Malicious durabletask package versions published to PyPI
A prior supply-chain attack on Microsoft's durabletask PyPI package occurred on May 19, with malicious versions reported to plant infostealers targeting cloud secrets and developer tool configurations on Linux systems. Later reporting linked this event to the Miasma worm activity.
Researcher creates Antimiasma and anti-worm mitigation tools
The author of the new report said they developed an Antimiasma mitigation tool and a separate anti-worm capability in response to the Miasma campaign. This represents a new defensive response aimed at countering the malware's spread and impact.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
73 Microsoft Packages Weaponized to Deploy Password Stealer Malware
cybersecuritynews.com
Open sourceDevelopers urged to remain vigilant amid continued Miasma malware risks | IT Pro
itpro.com
Open sourceMicrosoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues
thehackernews.com
Open sourceMiasma Worm Goes Open Source: What's Actually Inside It | The CyberSec Guru
thecybersecguru.com
Open sourceMiasma Worm Hits Microsoft's AI Coding Ecosystem
govinfosecurity.com
Open sourceMicrosoft Hacked to Deliver Malware to Claude and Gemini Users
404media.co
Open sourceThe Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds | OpenSource Malware Blog
opensourcemalware.com
Open sourceMalware Insights: Miasma Campaign | Cookie Engineer's Weblog
cookie.engineer
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitHub Repository Hijacks Used to Distribute Malware to Developers
Researchers reported active **software supply chain attacks** in which legitimate GitHub accounts and repositories were compromised and then used to distribute malware to developers. In one case, the verified **dev-protocol** GitHub organization was hijacked and repurposed to host polished **Polymarket** trading-bot repositories that secretly pulled typosquatted npm dependencies. Running the project exfiltrated `.env` contents including wallet private keys to attacker-controlled infrastructure, performed host fingerprinting, and modified firewall settings to expose SSH access; victims were advised to rotate wallet and API secrets and inspect `~/.ssh/authorized_keys` for persistence. A separate but related GitHub-focused campaign, dubbed **ForceMemo**, involved takeover of developer accounts and force-pushes to hundreds of Python repositories so that malicious code was appended to files such as `setup.py`, `main.py`, and `app.py` while preserving original commit metadata. Anyone installing directly from those repos could trigger the payload, and the activity affected projects ranging from Django applications to ML and Streamlit code. A report on malicious npm packages posing as a Roblox *Solara* executor was excluded because it describes a different npm ecosystem campaign centered on **Cipher stealer**, not the GitHub account and repository hijacks used in the other incidents.
Mar 21, 2026
Megalodon GitHub Supply Chain Attack Injected Malicious Actions into 5,561 Repos
Researchers disclosed a large-scale automated supply chain attack dubbed **Megalodon** that pushed **5,718 malicious commits** into **5,561 GitHub repositories** in less than six hours, using forged CI/CD bot identities and benign-looking commit messages to slip in malicious GitHub Actions workflow files. The workflows requested elevated permissions and carried base64-encoded bash payloads that executed after maintainers merged the changes, harvesting CI/CD environment data, cloud credentials, SSH keys, Docker and Kubernetes secrets, Vault and Terraform credentials, GitHub OIDC tokens, and other source-code and developer secrets. Investigators said the stolen data was exfiltrated over HTTP POST requests to **`216.126.225[.]129:8443`**, with two workflow variants observed, including payloads labeled **SysDiag** and **Optimize-Build**. The most visible downstream impact was a compromise of the **Tiledesk** repository, where a malicious workflow change led to the publication of poisoned **`@tiledesk/tiledesk-server`** npm versions **`2.18.6`** through **`2.18.12`**. Reporting tied the activity to a broader pattern of software supply chain abuse associated with **TeamPCP**, whose earlier incidents affected major open-source and commercial projects and prompted npm to invalidate some write-capable granular access tokens that could bypass 2FA protections. Security firms urged organizations to review repositories for unauthorized workflow changes, block the identified command-and-control infrastructure, rotate exposed secrets and keys, and inspect cloud and CI logs for signs of credential theft or cloud impersonation.
Jun 5, 2026
Mini Shai-Hulud Compromised Signed npm and PyPI Packages via GitHub Actions OIDC Abuse
A large software supply-chain campaign dubbed **Mini Shai-Hulud** compromised more than 170 npm packages and at least two PyPI packages tied to projects including **TanStack, Mistral AI, OpenSearch, UiPath, Guardrails AI,** and others. Researchers and vendors attributed the activity to **TeamPCP**, saying the attackers abused GitHub Actions release workflows—especially `pull_request_target`, cache poisoning, and theft of short-lived **OIDC** material from runners—to publish trojanized packages with apparently legitimate **SLSA** provenance, Sigstore attestations, and trusted-publishing signatures. Reports variously counted between roughly 160 and 400+ malicious package versions, with some affected packages totaling hundreds of millions of downloads, and OpenSearch and Mistral both confirmed compromised releases while TanStack described a chained workflow attack on its publishing pipeline. The malware targeted developer workstations and CI/CD systems, stealing **npm**, **GitHub**, cloud, Kubernetes, Vault, SSH, Docker, and AI-tool credentials, then attempting worm-like propagation by republishing infected packages with stolen tokens or workflow-issued publish credentials. Investigators said the payload also established persistence through **VS Code** tasks, **Claude Code** hooks, and in some cases system services, while exfiltrating data through **Session**, GitHub dead drops, and other attacker infrastructure; some variants included extortion notes, dead-man-switch logic, and geofenced destructive behavior. Defenders were urged to treat hosts that installed affected versions as potentially fully compromised, remove persistence before revoking tokens where applicable, rotate all exposed secrets from clean systems, invalidate CI caches, audit lockfiles and publishing activity, and rebuild impacted environments from trusted sources.
Jun 9, 2026