Executive Summary
On June 5, 2026, the Miasma worm, a self-replicating supply chain malware, compromised 73 Microsoft GitHub repositories across four major organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The attack was executed using previously compromised contributor credentials, allowing the attacker to push a malicious commit to the Azure/durabletask repository. This commit introduced configuration files that triggered a credential-harvesting payload when the repository was opened in AI coding tools such as Claude Code, Gemini CLI, Cursor, and VS Code. The worm harvested credentials for cloud platforms and developer tools, then used those credentials to propagate itself to additional repositories. GitHub responded by disabling the affected repositories in an automated sweep lasting 105 seconds. The incident caused immediate disruption to CI/CD pipelines, particularly those relying on Azure/functions-action, and highlighted critical weaknesses in the trust model of open-source software delivery, especially in environments using AI-assisted development tools. All information in this summary is directly supported by the referenced primary sources.
Technical Information
The Miasma worm incident is a sophisticated supply chain attack that exploited the trust inherent in open-source development workflows. The attacker leveraged previously compromised contributor credentials to gain initial access, specifically targeting the Azure/durabletask repository. The malicious commit (hash: 5f456b8) was backdated to 2020 and included a misleading message with a [skip ci] flag to evade automated CI/CD detection. No source code was modified; instead, five files were added, each designed to trigger automatic execution of a 4.3–4.6 MB obfuscated JavaScript payload when the repository was opened in various developer tools.
The payload was engineered to execute via configuration files for Claude Code (.claude/settings.json), Gemini CLI (.gemini/settings.json), Cursor (.cursor/rules/setup.mdc), VS Code (.vscode/tasks.json), and the npm test script. The actual malicious code resided in .github/setup.js, a large, obfuscated JavaScript file acting as a credential harvester. Upon execution, the worm harvested credentials for AWS, Azure, GCP, Kubernetes, npm, GitHub, and over 90 developer tool configurations. These credentials were then used to commit the worm into any repository the victim could access, enabling rapid, autonomous propagation.
The attack did not exploit a vulnerability in npm or GitHub itself. Instead, it abused the trust model by acting as a legitimate maintainer, using valid credentials and standard publishing mechanisms. This approach made the malicious activity indistinguishable from routine updates from the perspective of the platform. The worm’s propagation was further facilitated by targeting AI coding agents, which are increasingly used by developers to interact with unfamiliar repositories. This represents a significant evolution in supply chain attack techniques, as traditional defenses focused on package installation hooks are ineffective against attacks triggered by simply opening a repository in an AI tool or IDE.
The incident caused immediate operational impact. The disabling of Azure/functions-action disrupted CI/CD pipelines for organizations relying on this official GitHub Action to deploy Azure Functions. Developers reported widespread breakage of workflows, and critical Azure infrastructure and documentation repositories were rendered inaccessible. The attack was contained by GitHub within 105 seconds through automated enforcement, but the full scope of downstream impact remains undetermined.
Technical analysis links the Miasma worm to the Mini Shai-Hulud worm, previously released by the threat group TeamPCP in May 2026. The same compromised contributor account was used in both the May PyPI attack and the June GitHub incident, and the payloads share significant similarities. However, direct attribution to TeamPCP remains at medium confidence due to the lack of unique technical artifacts.
The attack’s MITRE ATT&CK mapping includes T1078 (Valid Accounts) for initial access, T1059.007 (JavaScript) and T1204.002 (Malicious File) for execution, T1562.001 (Disable or Modify Tools) and T1036 (Masquerading) for defense evasion, T1552 (Unsecured Credentials) and T1555 (Credentials from Password Stores) for credential access, T1098 (Account Manipulation) and T1557 (Adversary-in-the-Middle) for lateral movement, and T1496 (Resource Hijacking) and T1489 (Service Stop) for impact.
Affected Versions & Timeline
The attack affected 73 repositories across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs GitHub organizations. Notable impacted repositories include azure-search-openai-demo-purviewdatasecurity, Connectors-NET-LSP, durabletask (and its .NET, Go, Java, JS, MSSQL, Netherite, and protobuf implementations), functions-container-action, llm-fine-tuning, and windows-driver-docs.
The timeline of key events is as follows:
May 16, 2026: Malicious payload core modules authored and C2 domain git-service[.]com registered.
May 19, 2026: Initial compromise of the durabletask PyPI package, with three malicious versions uploaded in a 35-minute window using a compromised publishing token. Microsoft confirmed and removed the affected packages from PyPI.
June 3, 2026: Second wave of Miasma-themed dead-drop repositories begins.
June 5, 2026: Malicious commit (5f456b8) pushed to Azure/durabletask using the same compromised contributor account. The commit was backdated and included only configuration files and the payload.
June 5, 2026, 16:00:50–16:02:35 UTC: GitHub disables 73 repositories in two automated waves over 105 seconds.
June 5–6, 2026: Public disclosure and technical analysis by security researchers and news outlets.
Threat Activity
The Miasma worm campaign is characterized by its self-replicating nature and its exploitation of trusted developer workflows. The attacker used compromised credentials to bypass traditional security controls and planted configuration files that triggered code execution in AI coding agents and IDEs. The worm’s payload harvested a wide range of credentials, enabling it to spread autonomously to any repository accessible by the compromised accounts.
The campaign is a direct evolution of previous supply chain attacks, notably the Mini Shai-Hulud worm, and demonstrates a shift from targeting package installation hooks to targeting editor and AI agent session start events. This approach allows the malware to activate as soon as a developer opens a repository, regardless of whether any code is executed or dependencies are installed.
The attack also demonstrates advanced defense evasion techniques, including backdating commits, using misleading commit messages, and suppressing CI/CD pipeline execution with the [skip ci] flag. These methods allowed the malicious commit to avoid detection by automated security tools and reach production repositories.
Propagation was further enhanced by the worm’s ability to use harvested credentials to commit itself into new repositories, creating a feedback loop that enabled rapid, exponential spread across the open-source ecosystem. The campaign also included the creation of public repositories with Miasma-themed naming patterns, further obfuscating the attack’s origins and intent.
Mitigation & Workarounds
Mitigation of the Miasma worm supply chain attack requires immediate and comprehensive action. The following recommendations are prioritized by severity:
Critical: Immediately rotate all credentials (tokens, passwords, SSH keys) for any accounts that had access to the affected repositories, including those for AWS, Azure, GCP, Kubernetes, npm, GitHub, and developer tools. Revoke and reissue all publishing tokens and access keys.
Critical: Audit all repositories for unauthorized commits, especially those containing configuration files for AI coding agents or large, obfuscated JavaScript payloads. Remove any suspicious files and restore repositories from known-good backups.
Critical: Invalidate all active sessions and tokens for compromised accounts. Enforce multi-factor authentication (MFA) for all contributors and maintainers.
High: Review and update CI/CD pipeline configurations to detect and block commits that include suspicious configuration files or use [skip ci] flags without justification.
High: Implement strict access controls and least-privilege principles for repository contributors. Regularly review contributor lists and remove unnecessary access.
High: Educate developers about the risks of opening untrusted repositories in AI coding agents or IDEs. Encourage the use of isolated environments for reviewing external code.
Medium: Monitor for indicators of compromise, including connections to known C2 domains such as git-service[.]com and the presence of Miasma-themed repositories.
Medium: Collaborate with GitHub and other platform providers to ensure rapid response to future incidents and to improve automated detection of malicious commits.
Low: Stay informed about evolving supply chain threats and participate in community-driven threat intelligence sharing initiatives.
References
The Hacker News, June 6, 2026: https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html
StepSecurity, June 5, 2026: https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents
The Next Web, June 6, 2026: https://thenextweb.com/news/miasma-worm-microsoft-github-supply-chain
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor supply chain risks across their software ecosystems. Our platform enables continuous monitoring of open-source dependencies, automated credential hygiene checks, and rapid detection of anomalous repository activity. We support integration with CI/CD pipelines and developer tools to help organizations respond quickly to emerging supply chain threats. For questions or further guidance, contact us at ops@rescana.com.
