Miasma worm hits 73 Microsoft GitHub repositories in supply-chain attack (2026)
A self-replicating supply-chain worm dubbed Miasma compromised 73 repositories across four Microsoft GitHub organisations, planting configuration files that harvested cloud and developer credentials when the projects were opened in AI coding agents such as Claude Code and Cursor.
- Victim
- Microsoft (GitHub repositories)
On 5 June 2026, the self-replicating supply-chain worm known as Miasma reached Microsoft, compromising 73 repositories across four of the company's GitHub organisations โ Azure, Azure-Samples, Microsoft and MicrosoftDocs. The campaign began when an attacker used a previously compromised contributor account to push a malicious commit to the Azure/durabletask repository, from which the worm propagated automatically.
What happened
Miasma plants configuration files that execute a credential-harvesting payload not at package-install time, but when a developer opens the repository in an AI coding agent or editor. Researchers found the payload runner wired to trigger automatically through five developer touchpoints โ Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script โ marking a shift from traditional install-hook abuse toward editor and AI-agent session-start events.
The decrypted payload is a multi-cloud credential harvester that scans for AWS, Azure, GCP, HashiCorp Vault, Kubernetes, npm and GitHub secrets, exfiltrates them to attacker-created public GitHub repositories, and then reuses the stolen tokens to spread further. Across the npm registry the worm propagates through binding.gyp, a file that triggers code execution during npm install without ever touching the package.json scripts that scanners typically inspect. Analysts assess Miasma to be a variant of the Mini Shai-Hulud worm publicly released by the actor tracked as TeamPCP in mid-May 2026.
GitHub's automated abuse detection disabled all 73 implicated Microsoft repositories in an automated sweep lasting roughly 105 seconds, containing the blast radius before it could spread further from Microsoft's namespaces.
Why it matters
Miasma demonstrates how AI coding agents have become a fresh execution surface for supply-chain malware: a payload no longer needs an install hook when simply opening a poisoned repository in an AI-assisted editor will run it. By turning every compromised maintainer and their stolen cloud tokens into a launchpad for the next victim, the worm grows its reach automatically โ and reaching 73 repositories inside organisations as widely consumed as Azure and Microsoft underlines how quickly such a campaign can threaten the wider developer ecosystem.
Timeline
A malicious commit is pushed to the Azure/durabletask repository using a previously compromised contributor account, seeding the Miasma payload.
GitHub's automated abuse detection disables the 73 affected repositories across the Azure, Azure-Samples, Microsoft and MicrosoftDocs organisations within roughly 105 seconds.
Sources
- thehackernews.comhttps://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html
- stepsecurity.iohttps://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents
- thenextweb.comhttps://thenextweb.com/news/miasma-worm-microsoft-github-supply-chain
- rescana.comhttps://www.rescana.com/post/miasma-worm-supply-chain-attack-73-microsoft-github-repositories-compromised-via-ai-coding-tools