GitHub staff moved quickly. On June 5, 2026, the platform disabled access to 73 Microsoft repositories scattered across four organizations. Azure, Azure-Samples, Microsoft, and MicrosoftDocs all took hits. Visitors now see a blunt notice: access disabled due to terms of service violations. Reach out to support if you own the repo.
The culprit traces back to a self-replicating worm known as Miasma. It struck the durabletask repository first. Then the damage rippled. Sibling projects in the Durable Task family fell in sequence. .NET, Go, JavaScript, MSSQL implementations. Even the Durable Functions monitor. Paul McCarty, a security researcher known as 6mile, spotted the pattern immediately. “A month later, not only is Azure/durabletask gone – so is every sibling repo in the Durable Task ecosystem,” he wrote. The connection felt too neat. Last month’s compromise of the same durabletask PyPI package by TeamPCP had delivered an information stealer aimed at Linux systems. Credentials stolen then apparently stayed useful. “Whoever held those credentials in May plausibly never fully lost them,” McCarty added.
This wasn’t random. Miasma represents a mutated variant of Mini Shai-Hulud. TeamPCP released that worm publicly in mid-May 2026, according to Akamai. Since then the code has evolved. It refined its approach. It spread further. Recent days brought fresh infections across npm packages. Some carried descriptions like “Miasma: The Spreading Blight” or “Hades – The End for the Damned.” Researchers counted 82 repositories using the blight variants and 13 using the Hades label at last check.
But the worm doesn’t always bother with registries anymore. In several cases it pushed code straight into GitHub repositories. Take icflorescu/mantine-datatable and its four related projects. A commit appeared. No new dependencies. Instead it dropped a 4.3-megabyte payload runner. Then it wired that runner to trigger automatically. Five developer tools served as entry points: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script. The attack waits for a developer to clone the repo and open it inside an AI coding agent. Only then does the staged Bun loader activate. SafeDep described the technique in detail. “The dropper is the same staged Bun loader, here repurposed for GitHub source-repo persistence rather than registry poisoning,” the firm reported in its analysis.
StepSecurity saw the same pattern hit Microsoft on June 5. The worm planted configuration files inside Azure Functions Action and 72 other repositories. Those files executed credential-harvesting code whenever anyone opened the projects in the listed AI tools. GitHub suspended the compromised contributor account. The attacker had used a stolen personal access token. One commit even carried a backdated timestamp to 2020. It hid on a dormant branch. The fingerprints matched earlier Miasma samples exactly. And the malware appeared tuned to dodge specific security environments. One sample hard-coded domains from Step Security itself to stay quiet inside their Docker setups, OX Security researcher Moshe Siman Tov Bustan observed on X.
The campaign began gaining real momentum earlier in the month. On June 1 attackers compromised a Red Hat employee’s GitHub account. They pushed malicious updates into 32 packages under the @redhat-cloud-services namespace on npm. Microsoft Security detailed the sequence in its June 2 report. The packages carried preinstall hooks. Those hooks downloaded obfuscated droppers. The droppers pulled the Bun runtime. Then they stole credentials from GitHub, npm, AWS, Azure, GCP, HashiCorp Vault, and Kubernetes clusters. Some variants even tried privilege escalation through passwordless sudo. If tokens got revoked the malware could trigger a destructive wipe of the home directory. Self-propagation followed. The code republished poisoned packages using forged SLSA provenance. From the registry’s view everything looked legitimate.
FalconFeeds.io captured the core problem. “The worm’s genius and the reason conventional defences largely failed is that it operates entirely within legitimate channels. It does not exploit a vulnerability in npm or GitHub,” the firm wrote in its breakdown. “It exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe.” Shai-Hulud, and now Miasma, simply takes over the maintainer account and the signing key. Every malicious update looks like routine maintenance.
OpenSourceMalware traced the Microsoft incident in real time. The entire Azure Functions organization suffered. So did the full Durable Task set. The worm created public repositories in victims’ own accounts. It pushed stolen credentials as encrypted JSON files into a results directory. Repository names followed patterns like adjective-creature-randomnumber. Descriptions announced the breach. “Miasma – The Spreading Blight” appeared on dozens. The reversed string “niagA oG eW ereH :duluH-iahS” showed up on others. Translated it reads “Shai-Hulud: Here We Go Again.” A taunt aimed at researchers who had covered the earlier Red Hat wave.
WhiteIntel had seen signs even before the public outbreak. The firm detected an active Red Hat GitHub credential and session cookie in infostealer logs on April 13 and again on May 15. Those logs pointed to the same account later used in the June 1 attack. The compromise didn’t appear sudden. Access had lingered.
UV Cyber noted the broader pattern. Supply chain incidents keep exposing the same weakness. Trust sits at the center of open source delivery. Once that trust breaks the effects multiply. Downstream users adopt the tainted code. They become vectors themselves. The cycle repeats. Miasma simply does this at scale and with speed that outruns traditional detection.
Microsoft has not issued a detailed public statement on the repository takedowns as of June 6. GitHub’s response focused on containment. Affected repos remain offline while investigations continue. Security teams advise immediate steps. Rotate any exposed tokens. Audit GitHub organizations for unexpected public repositories carrying the blight descriptions. Search commit histories for indicators like the string “firedalazer” that some samples use to fetch next-stage payloads. Pin GitHub Actions to specific commit SHAs rather than floating tags. Rebuild potentially affected CI/CD environments from clean sources.
Yet the incident raises harder questions. How many other organizations carry similar dormant access? How long can credential theft from infostealers feed these worms before the industry changes its assumptions about maintainer accounts? Miasma didn’t invent supply chain attacks. It simply perfected the art of looking normal while hollowing out trust from the inside. And with AI coding assistants now serving as automatic triggers the attack surface grew again. One clone, one open project, and the payload wakes up.
Researchers continue pulling samples. OX Security, StepSecurity, SafeDep and others share fresh indicators. The worm mutates. New variants surface. But the tactic stays constant. Compromise the account. Publish normally. Wait for trust to do the rest. Microsoft repositories stand as the latest evidence that even the largest players remain exposed when that trust fails.
WebProNews is an iEntry Publication