Miasma worm compromises 73 Microsoft GitHub repositories in escalating supply chain attack

Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack

Microsoft's GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, per OpenSourceMalware. The development has GitHub to disable access to those repositories. "Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service," reads the message when attempting to access the "Azure/azure-functions-host" repository. "If you are the owner of the repository, you may reach out to GitHub Support for more information." According to OpenSourceMalware, the incident impacts the following repositories - * azure-search-openai-demo-purviewdatasecurity * Connectors-NET-LSP * Connectors-NET-SDK * durabletask * durabletask-dotnet * durabletask-go * durabletask-js * durabletask-mssql * functions-container-action * homebrew-functions * llm-fine-tuning * windows-driver-docs What's notable about the latest campaign is the re-compromise of the "durabletask" PyPI package, which was infected by TeamPCP last month to deliver an information stealer on Linux systems. "A month later, not only is Azure/durabletask gone - so is every sibling repo in the Durable Task ecosystem, sitting one org over in Microsoft: the .NET, Go, Java, JS, MSSQL, Netherite, and protobuf implementations, plus the Durable Functions monitor," security researcher Paul McCarty (aka 6mile) said. "When the repo at the root of last month's compromise is the hub of this month's takedown, that is not a coincidence - that is the same wound reopening. Whoever held those credentials in May plausibly never fully lost them." Miasma is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. It has since continued to mutate and refine its tactics, even as it has infected more packages over the past couple of days, using various descriptions of the public repositories containing the stolen secrets - * Miasma: The Spreading Blight * Miasma : The Spreading Blight * Miasma - The Spreading Blight * Hades - The End for the Damned As of writing, there are 13 repositories with the description "Hades - The End for the Damned" and 82 repositories with the remaining three naming patterns. Miasma has also been observed skipping the npm registry entirely, with the threat actors pushing malicious code directly to "icflorescu/mantine-datatable" and four related repositories: "mantine-contextmenu," "next-server-actions-parallel," "mantine-datatable-v6," and "mantine-contextmenu-v6." "The commit added no dependencies. It planted a 4.3 MB payload runner and wired it to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script," SafeDep said. "The attack detonates when a developer clones one of the affected repos and opens it in an AI coding agent. The dropper is the same staged Bun loader, here repurposed for GitHub source-repo persistence rather than registry poisoning." These software supply chain attacks have exposed the underlying weaknesses in the trust model that forms the basis of software delivery in open-source ecosystems, making it one of the most significant and sustained campaigns observed to date. What separates the activity from other incidents is its ability to exponentially propagate across the ecosystem by compromising downstream users and repeating the same cycle. "The worm's genius and the reason conventional defences largely failed is that it operates entirely within legitimate channels. It does not exploit a vulnerability in npm or GitHub," FalconFeeds.io said. "It exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe." "Shai-Hulud compromises the key and the maintainer, then proceeds to act exactly as a legitimate publisher would. From the registry's perspective, every malicious publish event is indistinguishable from a routine update."

Self-replicating Miasma worm hits 73 Microsoft GitHub repositories in supply chain attack

The Miasma worm hit 73 Microsoft GitHub repos across Azure and Microsoft orgs. It plants payloads that trigger in AI coding tools like Claude Code and Cursor. The self-replicating Miasma worm has reached Microsoft's own GitHub repositories. GitHub disabled 73 repositories across four Microsoft organisations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, after the worm planted malicious code that harvests developer credentials. It is the most significant escalation yet in an ongoing supply chain attack campaign that has been spreading across the open-source ecosystem for weeks. The attack exploited previously compromised credentials. Last month, the threat group TeamPCP infected the "durabletask" PyPI package hosted in Microsoft's Azure organisation to deliver an information stealer. Security researcher Paul McCarty pointed out that the same repository is at the centre of this month's takedown. "When the repo at the root of last month's compromise is the hub of this month's takedown, that is not a coincidence, that is the same wound reopening," McCarty said. "Whoever held those credentials in May plausibly never fully lost them." What makes this campaign particularly dangerous is how the payload detonates. The attacker planted a 4.3 MB payload runner wired to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script. A developer only needs to clone an affected repo and open it in an AI coding agent for the malware to run. Once triggered, the Bun-based worm harvests credentials for AWS, Azure, GCP, Kubernetes, npm, and GitHub. It then uses those stolen tokens to commit itself into any repository the victim can write to, spreading autonomously across the ecosystem. Among the disabled repositories are critical Azure infrastructure projects: azure-search-openai-demo, durabletask and its .NET, Go, JS, and MSSQL implementations, functions-container-action, llm-fine-tuning, and windows-driver-docs. OpenSourceMalware reported that GitHub contained the attack within 105 seconds, but the scope of affected downstream users remains unclear. Miasma is a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. The original Shai-Hulud appeared in September 2025 as the first self-replicating malware observed in the npm ecosystem. It has since mutated across npm and PyPI, previously compromising 32 Red Hat packages and hitting TanStack, Mistral AI, and UiPath packages. The worm has also begun skipping the npm registry entirely. SafeDep found it pushing malicious code directly to source repositories, including "icflorescu/mantine-datatable" and four related projects. As of writing, more than 80 public repositories on GitHub carry the Miasma campaign's naming pattern. The fundamental problem is not a vulnerability in npm or GitHub. "It exploits the trust model those platforms are built on," security firm FalconFeeds.io said in its analysis. "The assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe." The worm compromises the key and the maintainer, then acts exactly like a legitimate publisher. From the registry's perspective, every malicious publish event looks like a routine update. The targeting of AI coding agents is a notable evolution. Developers increasingly rely on tools like Claude Code and Cursor to work with unfamiliar repositories. A worm that activates when an AI agent opens a project exploits a new behaviour pattern that did not exist a year ago. It is supply chain malware designed for the age of AI-assisted development.

IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks

Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively. According to JFrog, the information stealer "scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and answers to its operator over Tor." The stealer also uses the stolen credentials as a propagation mechanism, drawing similarities to the infamous Shai-Hulud worm. The new malware has been codenamed IronWorm by the software supply chain security company. By publishing itself to the npm registry in the form of trojanized packages, the approach results in a self-replicating attack. The malicious activity has been traced back to a compromised npm account named "asteroiddao," which has been found to publish package versions containing the Rust ELF binary that's executed via a preinstall hook. The malware targets 86 environment variables, various files that may contain credentials associated with OpenAI Codex, Anthropic, Claude, Google Gemini, Cursor, Amazon Web Services (AWS), Docker, Kubernetes, and npm, vault configurations, and Exodus cryptocurrency wallet files. An unusual quirk worth mentioning here is that the stealer includes logic for the wallet data-stealing component to skip the threat actor's own wallet. As of writing, the cryptocurrency wallet is empty, and no transactions have been recorded. JFrog described IronWorm as "a supply chain weapon built to find secrets, modify projects, and inject malicious code to self-propagate across GitHub." The malicious commits, which span nine GitHub organizations, have been introduced under the author name "claude" ("[email protected]") in an attempt to mimic Anthropic's artificial intelligence (AI) chatbot. "The malicious npm package was published by asteroiddao; asteroiddao corresponds to the asteroid-dao GitHub organization; and ocrybit is a member of that organization, as well as related Arweave organizations," the company explained. "The malware stole ocrybit's credentials and used them to push commits across repositories it could access. Those commits planted malware into other packages, which could then be published and infect the next developer. And then it vanished." What's more, the malicious payload is equipped to swap existing GitHub Actions workflows for one that's capable of harvesting the secrets, writing it to a harmless-looking file, and uploading it as a build artifact, thereby eliminating the need for an external command-and-control (C2) server. The malware's capabilities don't end there. In CI environments, it abuses npm's Trusted Publishing flow to obtain short-lived tokens to push poisoned versions containing the malware to the registry. It also incorporates an eBPF payload that functions as a kernel-level rootkit to hide processes and thwart analysis. However, on systems where kernel lockdown is enabled, the process-hiding tricks fail, and the supposed processes and sockets become visible again. Miasma Worm Surfaces Again The disclosure comes as Endor Labs and StepSecurity shed light on a distinct supply chain attack campaign that has compromised 57 npm packages across more than 286 malicious versions to serve a new variant of the Miasma worm, which previously infected 32 packages across more than 90 versions under the @redhat-cloud-services npm namespace within 72 seconds earlier this week. Some of the affected packages are listed below - * ai-sdk-ollama * autotel * awaitly * effect-analyzer * eslint-plugin-awaitly * executable-stories-cypress * http-uploader-dev * mountly * node-env-resolver * node-env-resolver-aws The data stolen via the malware is exfiltrated to a now-inaccessible GitHub account "liuende501," which acted as an exfiltration point. As many as 236 repositories were staged in the account. It's presently not known if GitHub removed the account or if the threat actor themselves deleted it. "This wave uses a technique we are calling 'Phantom Gyp': instead of the preinstall or postinstall lifecycle scripts that security tools typically monitor, the attacker abuses a 157-byte binding.gyp file to trigger code execution during npm install, bypassing most install-script security checks entirely," StepSecurity researcher Sai Likhith said. Like in the case of Miasma, the attack chain is engineered to download and install the Bun JavaScript runtime, using it to load a comprehensive credential harvester that's tailored to extract secrets from AWS, Google Cloud, Microsoft Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyGems, PyPI, SSH, password managers, and AI assistants. "The most novel and concerning capability of this variant is its targeting of AI coding assistant configurations," the company said. "The malware injects persistent backdoor files into project repositories that execute whenever a developer opens the project in their AI-assisted IDE." Developers who have installed an affected version are advised to rotate credentials, turn off install scripts and native rebuilds by default, and ensure packages are pinned with integrity hashes. In an update shared this week, Red Hat revealed that the root cause behind the Miasma supply chain incident was likely a compromised GitHub account that was used to push unauthorized commits to repositories in the RedHatInsights GitHub organization. "The payload operated across Linux, macOS, and Windows by dynamically downloading the correct Bun runtime for each platform, although Linux CI/CD runners appeared to be the primary target," Microsoft said of the campaign. "On developer systems, the malware stole Secure Shell (SSH) keys, command-line interface (CLI) credentials, browser and wallet data, while in CI/CD environments it scraped GitHub Actions runner memory for secrets, escalated privileges using passwordless sudo, and republished poisoned packages with forged Supply-chain Levels for Software Artifacts (SLSA) provenance to continue downstream propagation." The Miasma payload is assessed to be a derivative of the Shai-Hulud worm put to use by TeamPCP in recent campaigns, introducing largely "cosmetic" changes while keeping the underlying functionality similar. Despite the overlap in tradecraft, the attribution for the latest set of attacks remains unclear, given that TeamPCP has publicly released the Shai-Hulud code. OX Security has since uncovered additional stages in the Miasma attack chain, including searches for GitHub commits containing the string "firedalazer" (replacing the previously flagged "FIRESCALE" dead drop) to retrieve another payload, a JavaScript file ("index.js") that contains an alternative version of the Shai-Hulud worm, effectively transforming the infection into a perpetual loop. In this case, the stolen data is exfiltrated to public GitHub repositories, each carrying the description "Miasma: The Spreading Blight" or "Miasma - The Spreading Blight." It's important to note here that the previous version reads "Miasma: The Spreading Blight," which does not have a space between Miasma and the ":" symbol. There are currently 82 such repositories created on user accounts "0tabek16" and "windy629." "The threat actor can dynamically change the 'firedalazer' commits in GitHub, making new versions of the malware, more adaptive and more sophisticated," security researchers Moshe Siman Tov Bustan and Nir Zadok said. "This turns GitHub into something more dangerous than a dead drop. It's an adaptive C2 - one that piggybacks on a trusted, widely whitelisted platform, making network-level detection nearly useless. Most security tools aren't configured to treat GitHub traffic as suspicious. The threat actor knows this."