GitHub Disables 73 Microsoft Repositories After Miasma Worm Attack
Best dunked in coffee. Better still, swap for a fresh one.
Summary
On June 5, GitHub disabled 73 Microsoft-owned repositories after the Miasma worm (a variant of Mini Shai-Hulud) infiltrated projects across Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The attack began when a malicious commit was pushed to Azure/durabletask using a previously compromised contributor account. Automated systems detected and took down the repositories within 105 seconds, but credential-harvesting damage had already occurred. The malicious commit added configuration files that execute a payload when a developer opens the repository in an IDE or AI coding tool, affecting tools like Claude Code, Gemini CLI, Cursor, and VS Code. Miasma had previously mutated across npm and PyPI, compromising 32 Red Hat packages and impacting packages from TanStack, Mistral AI, and UiPath. The same compromised contributor account was used in both the May PyPI attack and the June GitHub incident.
Key quotes
· 5 pulledAutomated systems issued the takedown within 105 seconds of detecting the infection, but credential-harvesting damage had already occurred.
The attack started when a malicious commit was pushed to Azure/durabletask using a previously compromised contributor account.
The commit added configuration files that execute a payload when a developer opens the repository in an IDE or AI coding tool.
Miasma is a variant of Mini Shai-Hulud, publicly released by TeamPCP in mid-May 2026, and it has previously mutated across npm and PyPI.
The same compromised contributor account was used in both the May PyPI attack and the June GitHub incident, with highly similar payloads.
You might also wanna read
Post-mortem Analysis of @ctrl/tinycolor npm Supply Chain Attack via GitHub Actions
A detailed post-mortem analysis of a supply chain attack on the @ctrl/tinycolor npm package. The attack occurred when a malicious GitHub Act
sigh.dev·9mo agoGitHub confirms breach of 3,800 repos via malicious VSCode extension
Microsoft bans security researcher from GitHub after zero-day exploit posts; researcher threatens retaliation
A security researcher known as Nightmare-Eclipse (Chaotic Eclipse) has been banned from Microsoft's GitHub platform after allegedly posting
tomshardware.com·18d agoMicrosoft bans security researcher from GitHub after zero-day exploit posts; researcher threatens retaliation
A security researcher known as Nightmare-Eclipse (Chaotic Eclipse) has been banned from Microsoft's GitHub platform after allegedly posting
tomshardware.com·18d ago
Glassworm Threat Actor Returns with Unicode-Based Supply Chain Attacks on GitHub, npm, and VS Code
The Glassworm threat actor has returned with a new wave of supply chain attacks using invisible Unicode characters to compromise software re
aikido.dev·3mo ago
GitHub patches critical remote code execution vulnerability in under six hours after AI-assisted discovery
GitHub patched a critical remote code execution vulnerability in under six hours last month. The flaw, discovered by Wiz Research using AI m
The Verge·1mo ago
GitHub Actions workflows identified as common weak link in open source supply chain attacks
This article analyzes a series of high-profile open source supply chain security incidents from the past 18 months, tracing them back to Git