Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack

Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack
Cyber Security ATN Campus June 18, 2026 9 views

Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack

Microsoft's GitHub repositories have become the latest victims of the ongoing Miasma self-replicating supply chain attack campaign.

The incident impacted 73 Microsoft repositories across four GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs. As a result, GitHub temporarily disabled access to the affected repositories while investigations continue.

Affected Repositories

Some of the repositories impacted by the attack include:

  • azure-search-openai-demo-purviewdatasecurity
  • Connectors-NET-LSP
  • Connectors-NET-SDK
  • durabletask
  • durabletask-dotnet
  • durabletask-go
  • durabletask-js
  • durabletask-mssql
  • functions-container-action
  • homebrew-functions
  • llm-fine-tuning
  • windows-driver-docs

Re-Compromise of DurableTask Package

Security researchers highlighted the re-compromise of the durabletask PyPI package, which had previously been infected by TeamPCP in May 2026. The package was initially used to distribute an information-stealing malware targeting Linux systems.

The latest attack affected multiple repositories within Microsoft's Durable Task ecosystem, including implementations for .NET, Go, JavaScript, MSSQL, Netherite, and Protobuf, along with monitoring tools.

Evolution of the Miasma Worm

Miasma is believed to be a variant of the Mini Shai-Hulud worm that was publicly released in May 2026. Since then, it has evolved and expanded its capabilities while continuing to infect open-source projects.

Researchers observed the following repository descriptions associated with infected projects:

  • Miasma: The Spreading Blight
  • Miasma : The Spreading Blight
  • Miasma - The Spreading Blight
  • Hades - The End for the Damned

At the time of reporting, dozens of repositories had been identified carrying these descriptions.

Direct Repository Attacks

Unlike previous supply chain attacks that primarily targeted package registries such as npm, Miasma has also been observed directly injecting malicious code into GitHub repositories.

One example involved the repository mantine-datatable and several related projects. Attackers inserted a large payload runner configured to execute automatically through various developer tools.

Targeted Developer Tools

  • Claude Code
  • Gemini CLI
  • Cursor
  • Visual Studio Code
  • npm Test Scripts

The malicious payload activates when developers clone an infected repository and open it within supported AI coding environments.

Exploiting the Trust Model

Security experts note that Miasma does not exploit vulnerabilities in GitHub or npm directly. Instead, it abuses the trust model of open-source software ecosystems.

The worm compromises legitimate maintainer accounts and uses valid credentials to publish malicious updates that appear authentic to users and automated systems.

"From the registry's perspective, every malicious publish event is indistinguishable from a routine update."

This ability to operate through legitimate channels has made the campaign particularly effective and difficult to detect.

Microsoft Response

Microsoft confirmed that several repositories were temporarily removed while the company investigates potentially malicious content.

Security researchers also discovered that the same contributor account involved in the May compromise was used again during the latest attack.

Malicious Configuration Files Identified

Researchers identified several files added by attackers to achieve automatic code execution:

  • .claude/settings.json – Executes payloads through Claude Code session hooks.
  • .gemini/settings.json – Executes payloads through Gemini CLI session hooks.
  • .cursor/rules/setup.mdc – Uses prompt injection techniques against Cursor AI.
  • .vscode/tasks.json – Triggers execution through Visual Studio Code auto-run tasks.

Why This Matters

The Miasma campaign demonstrates how attackers are increasingly targeting software supply chains and AI-powered development tools. As organizations rely more heavily on open-source software and AI coding assistants, maintaining strong credential security and repository monitoring becomes critical.

The attack serves as a reminder that trusted accounts and legitimate publishing workflows can become powerful attack vectors when compromised.


Build a Career in Cybersecurity and Software Development

Cybersecurity threats such as the Miasma worm highlight the growing need for skilled IT professionals who can secure modern software systems and cloud infrastructure.

Visit ATN Campus to explore programs in Cybersecurity, Software Engineering, Artificial Intelligence, Cloud Computing, and Data Analytics. Gain the practical skills needed to succeed in today's fast-growing technology industry.


Start Your Career in AI and Cloud Computing

As AI, cloud computing, and data center technologies continue to transform the IT industry, there has never been a better time to build your skills in these high-demand fields.

Whether you are interested in software development, cloud engineering, cybersecurity, data analytics, or artificial intelligence, gaining the right education and practical experience is essential for success.

Visit ATN Campus to explore industry-focused programs and take the first step toward a rewarding career in the rapidly evolving world of technology.

Learn more about available courses, career pathways, and opportunities to develop the skills employers are looking for in today's digital economy.

Ready to Build Your Future in Technology?

Visit ATN Campus and discover programs in AI, Cloud Computing, Software Engineering, Cybersecurity, and Data Analytics. Start your journey toward a successful IT career today.

Document ATN CAMPUS