top of page

Miasma Worm Supply Chain Attack Compromises 73 Microsoft GitHub Repositories

  • Jun 9
  • 3 min read

Key Findings


  • A self-replicating worm called Miasma compromised 73 Microsoft GitHub repositories across Azure infrastructure and core .NET, Go, Java, JavaScript, and Python frameworks

  • GitHub staff disabled affected repositories after attackers injected malicious workflows that harvested OIDC tokens and developer credentials

  • The attack exploited AI coding tools as an automatic execution mechanism, triggering malware when developers cloned infected repos and opened them in IDEs

  • Miasma evolved from Mini Shai-Hulud malware and employed uniquely encrypted payloads for each infection to evade hash-based detection

  • The campaign also poisoned 32 npm packages with valid SLSA provenance attestations, making malicious releases appear legitimate to standard registry scanners

  • Additional 23 PyPI packages were infected in a parallel wave, including bioinformatics and AI-related libraries with typosquatted variants like rsquests and tlask

  • This marks Microsoft's second known breach from the same malware family within weeks, raising questions about incomplete remediation from the earlier incident


Background


The attack originated when cybercriminals compromised a Red Hat employee's GitHub account and pushed unreviewed commits to internal repositories. The threat actors, known as TeamPCP, shifted their naming from Dune references to Greek mythology with this campaign, branding the malware as Miasma. The initial breach at Red Hat led to the compromise of the @redhat-cloud-services npm namespace, where attackers published poisoned packages that appeared legitimate to security scanners due to valid SLSA provenance attestations.


The Initial Entry Point


Red Hat's compromised credentials proved to be the foothold for a broader operation. Attackers injected minimal workflows into internal repositories that requested GitHub's OIDC tokens during builds. These tokens granted legitimate access to publish packages to npm, creating a critical problem for supply chain security: the malicious releases were cryptographically valid and indistinguishable from routine updates. This revealed a gap in SLSA frameworks, which verify code provenance but cannot detect when a legitimate maintainer's credentials have been stolen.


Weaponizing Developer Tools


The delivery mechanism that made Miasma particularly dangerous was its integration with AI coding tools and IDEs. Infected repositories were designed to execute malicious payloads automatically when cloned and opened in popular development environments. Since AI coding assistants have become standard in developer workflows, this attack vector reached developers without requiring them to take any suspicious action. Every developer who pulled an infected repo and opened it in their preferred IDE unknowingly executed the malware.


Evasion and Credential Theft


Miasma employed two sophisticated evasion techniques. First, it generated uniquely encrypted payloads for each infection, rendering hash-based indicators of compromise useless. Second, it represented an evolution beyond earlier Mini Shai-Hulud variants by specifically targeting cloud credentials. The worm harvested every cloud identity accessible to infected developer machines and CI/CD runners in GCP and Azure environments, not just local secrets. This multi-layered credential theft exposed enterprises to lateral movement and persistence risks across their entire infrastructure.


The Broader Supply Chain Wave


The attack extended beyond Microsoft repositories to poison 23 additional packages on PyPI, including bioinformatics libraries, AI-related packages, and typosquatted impersonations of popular frameworks like Flask and Requests. These packages used varied payload delivery mechanisms including Trojanized native extensions and .pth startup hooks that searched for external payloads rather than bundling them directly. One variant embedded adversarial prompt injection code designed to bypass AI-powered security scanners and analyst copilots.


Microsoft's Response and Concerns


Microsoft temporarily disabled dozens of repositories and notified a small number of customers who may have pulled infected content. However, the fact that Durable Task was compromised a month earlier and then hit again raised questions about whether the original incident was fully remediated. Security researchers termed the latest compromise a re-compromise, suggesting either that credentials were never rotated or attackers retained a foothold that Microsoft's initial cleanup failed to reach. The lack of disclosed customer impact figures and the incomplete picture of the original incident fueled concerns about the scope of the damage.


Sources


  • https://securityaffairs.com/193367/malware/miasma-worm-compromises-73-microsoft-github-repositories.html

  • https://thehackernews.com/2026/06/microsoft-restores-some-github-repos.html

  • https://thenextweb.com/news/miasma-worm-microsoft-github-supply-chain

  • https://www.linkedin.com/posts/mottik_miasma-worm-supply-chain-attack-compromises-activity-7469644112057716736-OfTW

  • https://www.reddit.com/r/cybersecurity/comments/1u02z59/73_microsoft_github_repositories_impacted_by

  • https://www.facebook.com/thehackernews/posts/-73-microsoft-github-repos-just-went-darkthey-were-hit-by-miasma-a-self-replicat/1387599486737964

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page