A recent Miasma self-replicating supply chain attack hit 73 different GitHub repositories owned by Microsoft in four different organizations: Azure, Azure Samples, Microsoft, and Microsoft Docs.
The Miasma supply chain attack Microsoft GitHub compromise has led GitHub to disable access to those repositories, and when attempting to access the "Azure/azure-functions-host" repository, a message reads that access has been disabled due to a violation of GitHub's terms of service.
According to OpenSourceMalware, some of the impacted repositories include azure-search-openai-demo-purviewdatasecurity, Connectors-NET-LSP, Connectors-NET-SDK, durabletask, durabletask-dotnet, durabletask-go, durabletask-js, durabletask-mssql, functions-container-action, homebrew-functions, llm-fine-tuning, and windows-driver-docs.
The Durabletask Re-Compromise
What is notable about the latest campaign is the re-compromise of the "durabletask" PyPI package, which was infected by TeamPCP last month to deliver an information stealer on Linux systems.
Security researcher Paul McCarty, also known as 6mile, said that a month later, not only is Azure/durabletask gone, but so is every sibling repository in the Durable Task ecosystem sitting one organization over in Microsoft including the .NET, Go, Java, JS, MSSQL, Netherite, and protobuf implementations, plus the Durable Functions monitor.
The researcher also noted that when the repository at the root of last month's compromise is the hub of this month's takedown, that is not a coincidence, that is the same wound reopening, and whoever held those credentials in May plausibly never fully lost them.
The Miasma supply chain attack Microsoft GitHub shows that credential revocation is not always permanent, and attackers may retain access even after the initial compromise is discovered.
Miasma as Mini Shai-Hulud Variant
Miasma is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026, and it has since continued to mutate and refine its tactics even as it has infected more packages over the past couple of days.
The campaign uses various descriptions for the newly-created public repositories containing the stolen secrets including "Miasma: The Spreading Blight", "Miasma : The Spreading Blight", "Miasma - The Spreading Blight", and "Hades - The End for the Damned".
As of the time of writing, there are 13 repositories with the description "Hades - The End for the Damned" and 82 repositories with the remaining three naming patterns.
Direct Repository Poisoning
Miasma has also been observed skipping the npm registry entirely, with the threat actors pushing malicious code directly to "icflorescu/mantine-datatable" and four related repositories including "mantine-contextmenu", "next-server-actions-parallel", "mantine-datatable-v6", and "mantine-contextmenu-v6".
The commit added no dependencies, and it planted a 4.3 MB payload runner and wired it to execute automatically through five developer tools including Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script.
The Miasma supply chain attack Microsoft GitHub attack detonates when a developer clones one of the affected repositories and opens it in an AI coding agent, and the dropper is the same staged Bun loader, here repurposed for GitHub source-repo persistence rather than registry poisoning.
The Trust Model Exploitation
These software supply chain attacks have exposed the underlying weaknesses in the trust model that forms the basis of software delivery in open-source ecosystems, and this makes it one of the most significant and sustained campaigns observed to date.
What separates the Miasma supply chain attack Microsoft GitHub from other incidents is its ability to exponentially propagate across the ecosystem by compromising downstream users and repeating the same cycle.
FalconFeeds.io said that the worm's genius and the reason conventional defenses largely failed is that it operates entirely within legitimate channels, and it does not exploit a vulnerability in npm or GitHub.
Instead, the Miasma supply chain attack Microsoft GitHub exploits the trust model that those platforms are built on, the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe.
Shai-Hulud compromises the key and the maintainer, and then it proceeds to act exactly as a legitimate publisher would, and from the registry's perspective, every malicious publish event is indistinguishable from a routine update.
The Wound That Never Healed
The re-compromise of the durabletask ecosystem is particularly concerning because it shows that the attackers never fully lost their access.
The Miasma supply chain attack Microsoft GitHub may have used stolen credentials that were never properly revoked, or the attackers may have planted persistent backdoors that survived the initial cleanup.
When the repository at the root of last month's compromise becomes the hub of this month's takedown, it strongly suggests that the same attackers returned through the same access path.
The AI Coding Agent Vector
The Miasma supply chain attack Microsoft GitHub payload is triggered when a developer clones an affected repository and opens it in an AI coding agent.
This is a new and concerning attack vector because AI coding agents have broad access to the system and to the code they are analyzing, and they may execute hidden instructions without the developer's knowledge.
The same staged Bun loader used in previous registry poisoning attacks has been repurposed here for GitHub source-repo persistence.
The Scale of the Compromise
The Miasma supply chain attack Microsoft GitHub impacted 73 Microsoft repositories across four GitHub organizations.
The affected repositories include critical projects like durabletask (which is a core Azure Durable Functions component), windows-driver-docs, and azure-search-openai-demo.
The compromise of Microsoft's own GitHub organizations is a significant escalation because Microsoft is one of the world's largest software companies and a trusted name in open source.
How to Protect Your Repositories
The Miasma supply chain attack Microsoft GitHub requires a rethinking of repository security.
1. After a breach or compromise of your MFA (Multi-Factor Authentication) tokens, revoke and rotate all credentials. The durabletask GitHub re-compromise indicates that there may be some remaining credentials compromised, necessitating a full re-rotation (rotation of credentials) for your entire organization.
2. You must actively monitor your version control host (GitHub) looking for unauthorized commits. The Miasma supply chain attack (malicious code placed in GitHub by Microsoft) placed malicious commits directly into the repository of many organizations; therefore, organizations need to monitor for unexpected commits, especially those that add sizeable binary files or bundles (Bun) loaders.
3. Organizations need to perform a scan of their repositories looking for AI agent triggers in the form of configuration file instructions. The payload (malicious code placed by the attacker) executes when the developer opens the repository via the use of an AI coding agent.
4. Administrators of your GitHub account should review your organization's GitHub account settings due to the Miasma supply chain attack that affected many organizations via their GitHub accounts.
5. Assume legitimate channels can be malicious. The Miasma supply chain attack Microsoft GitHub operates entirely within legitimate channels, and organizations should not assume that a signed package or an authenticated user is safe.
Final Thoughts
The Miasma supply chain attack Microsoft GitHub is a landmark event in software supply chain security.
A self-replicating worm compromised 73 Microsoft repositories across four organizations, and it used the same trusted channels that legitimate developers use every day.
The Miasma supply chain attack Microsoft GitHub re-compromised durabletask a month after the initial infection, and this suggests that the attackers never fully lost their access, and traditional incident response measures were insufficient.
If Microsoft's own GitHub organizations can be compromised by this worm, no open-source project is safe, and the entire trust model of open-source distribution needs to be re-examined.
Check your GitHub organizations for unauthorized commits, rotate your credentials, and assume that a compromised repository may stay compromised even after you think you have cleaned it.
FAQ Section
How many Microsoft GitHub repositories were compromised in the Miasma supply chain attack?
The Miasma supply chain attack Microsoft GitHub compromised 73 repositories across four GitHub organizations including Azure, Azure-Samples, Microsoft, and MicrosoftDocs.
What is significant about the durabletask re-compromise?
Durabletask was infected by TeamPCP last month, and one month later it was compromised again along with every sibling repository in the Durable Task ecosystem, suggesting the attackers never fully lost their credentials.
How does the Miasma worm execute its payload?
The payload detonates when a developer clones an affected repository and opens it in an AI coding agent such as Claude Code, Gemini CLI, Cursor, or VS Code, and it uses a staged Bun loader for execution.
Does Miasma exploit a technical vulnerability in npm or GitHub?
No, the Miasma supply chain attack Microsoft GitHub does not exploit any technical vulnerability, it exploits the trust model that assumes a package signed with a valid key and published by an authenticated maintainer is safe.
What are the repository descriptions used by the Miasma campaign?
The campaign uses four descriptions for the newly-created public repositories containing stolen secrets, "Miasma: The Spreading Blight", "Miasma : The Spreading Blight", "Miasma - The Spreading Blight", and "Hades - The End for the Damned".
