Self-replicating Miasma worm compromises 73 Microsoft GitHub repositories in supply chain attack

For the 2nd time in weeks, Microsoft packages laced with credential stealer

Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding agents. In all, multiple researchers said, 73 packages were flagged as malicious when automated systems on GitHub blocked them on the platform. Rather than noting they are malicious -- and that developers who used AI agents to work with them should assume their systems are compromised -- the Microsoft-owned GitHub said it disabled the packages "due to a violation of GitHub's terms of service." The text went on to encourage the package owner to contact GitHub. Devs: Assume compromise and proceed accordingly It wasn't until Monday that Microsoft even raised the possibility the packages were infected. In an email, the company stated: "We have temporarily removed some repositories as we investigate potential malicious content." The incident is the second supply-chain attack in as many months to breach an official Microsoft repository account. In mid May, the firm StepSecurity documented the compromise of Microsoft's durabletask Python SDK on PyPI. The package is a framework for building fault-tolerant workflows and orchestrations to automate distributed transactions and other workflows. It receives 400,000 downloads per month. The compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. The attack, which has been linked to a threat actor tracked as TeamPCP, poisoned the durabletask package after compromising Microsoft credentials for publishing the package. The technique allows attackers to bypass the repository's build pipeline entirely. The malware used in the attack is tracked as Miasma. It's essentially a clone of TeamPCP's Mini Shai-Hulud toolkit, which the threat actor open-sourced recently. Security firm Cloudsmith said the malware harvests OIDC (OpenID-Connect) token credentials that are used in SLSA (Supply-chain Levels for Software Artifacts) provenance attestation, a method for providing cryptographically signed guarantees of a software's integrity. As was the case in the May compromise of Microsoft's durabletask, the one last week made use of the functionality to steal a legitimate Microsoft OIDC token. It was also used in a separate supply-chain attack poisoning dozens of Red Hat packages. "The genius of this Miasma worm lies in how it adhered to legitimate workflows," Cloudsmith said. "It does not exploit any software vulnerability in GitHub or npm. Instead, it exploits the underlying trust model of the modern engineering ecosystem." The company continued: Compromised dev creds led to a legitimate GitHub OIDC token being requested. This was followed by a malicious build being published with valid SLSA provenance, which ultimately led to conventional scanners seeing it as a routine trusted update. By stealing legitimate maintainer credentials, the worm was able to act exactly as an authenticated publisher would have. Furthermore, Miasma generates a uniquely encrypted payload for each individual infection. This means traditional hash-based IOCs are functionally useless for broad detection, as the file signature changes with every single package version. Andrew McNamara of Red Hat explained in a dedicated blog post where SLSA's boundaries fall short. While previous iterations of the Mini Shai-Hulud malware have focused purely on local secret scraping, the Miasma worm appears to have advanced data collectors specifically engineered for cloud identities in GCP and Azure. It attempts to harvest every cloud identity the infected developer machine and CI/CD runners have access to, proving a clear intent from the threat actors to leverage access away from the codebase and directly into live cloud environments. The credential-stealing function in the Miasma worm infecting the Microsoft packages was triggered as soon as a developer opened it in AI agents, including Claude Code, Gemini CLI, Cursor, and VS Code. Follow-on attacks are likely to occur in the highly feasible event that credentials were successfully harvested from machines that opened the packages in one of the affected AI agents. The Microsoft GitHub account compromised in the May attack is the same one used late last week. The explanation for this double compromise isn't currently known. It may mean that Microsoft failed to fully change credentials for the account. It might also be the result of an unknown package run on a Microsoft developer machine that stole the new credentials. Microsoft isn't providing details at the moment. The self-replicating cryptographic verification of the malicious packages and the ability to bypass hash-based detection make the attacks difficult to detect. And as the subsequent compromise of the same Microsoft account shows, these breaches can be hard to fully remediate. Anyone who touched any one of the 73 packages -- listed here -- should drop whatever else they're doing and thoroughly investigate, lest there are any compromised credentials that will be used in future attacks.

GitHub nukes 70+ Microsoft repos, breaks CI/CD pipelines, following suspected worm infections

Microsoft's GitHub has disabled over 70 repositories after they were reportedly compromised by a worm in the latest open source supply chain attack. The code shack took down 73 repos within the space of 105 seconds after its alarms were tripped on Friday, June 5, after detecting signs of the Miasma worm infecting its projects, according to StepSecurity's co-founder and CTO, Ashish Kurmi. Users reported issues quickly on Friday, after visits to those repos all resulted in the same message displayed, indicating that they had been disabled due to terms of service violations. According to StepSecurity's analysis, the attack kicked off after a compromised contributor account pushed a malicious commit to Azure/durabletask. The commit dropped configuration files that triggered remote code execution on machines when a developer opened the repo in an IDE or AI coding tool, such as Claude Code, Gemini CLI, and Cursor. Several developers soon reported broken CI/CD pipelines, a support thread showed, although a moderator said at the time this was due to "an internal management issue." "The repo that most immediately caused issues was Azure/functions-action," Kurmi wrote, used to deploy code to Azure. With it being taken down, every workflow that referenced Azure/functions-action@v1 stopped resolving. GitHub stepped in a few hours after the repos were infected by the malicious commit. Its automated detections kicked in and disabled the repos in under two minutes, in two separate waves. However, it was the borking of the durabletask family that hinted at the bigger picture, that the attack was indeed a re-opening of the previous Miasma worm attack that hit Microsoft last month. Microsoft's durabletask PyPi package was a previous target of the Miasma worm on May 19. Within a 35-minute window, three versions of the package were uploaded to PyPi, which planted infostealers on developers' machines, specifically sniffing out cloud secrets and developer tool configurations on Linux systems. Crucially, the re-targeting of durabletask suggests the tokens associated with the compromised developer account used to execute the PyPi attack were not fully rotated, allowing an attacker to gain access and push commits to GitHub, Kurmi said. It was either that, or the contributor was re-compromised through the worm's own propagation loop, or a different contributor's token was used but the attacker altered the metadata to make it look like a repeated attack. Security shop Snyk described Miasma as a descendant of the Mini Shai Hulud worm. It's the same one that ravaged open source packages over at the npm registry, including Red Hat's, earlier this month. Cybercrime group TeamPCP claimed responsibility for developing Mini Shai Hulud, which itself is named after an earlier worm of the same name, sans "mini." However, because TeamPCP open-sourced Mini Shai Hulud, it's difficult to tell whether it was also behind Miasma or if someone else took the reins on the follow-up project. StepSecurity also reported that two days before the Microsoft attack, the same worm was making a nuisance of itself at npm, compromising more than 50 packages, including a Vapi.ai SDK with more than 408,000 monthly downloads. The Register asked Microsoft for comment, but it did not immediately respond. ®

GitHub disables Microsoft repos pushing password-stealing malware

Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub, disrupting continuous integration pipelines. The incident occurred on June 5, and it was contained within just 105 seconds. The company told BleepingComputer that the repositories were removed due to concerns that they distributed "potential malicious content." Multiple researchers confirmed that the repos were pulled after a compromise during a Miasma/Shai-Hulud supply-chain campaign. The OpenSourceMalware platform notes that the 'durabletask' - a repository in Microsoft's Azure organization on GitHub, was compromised in May, indicating that an incomplete cleanup allowed the threat actor to return with a new compromise. However, this has not been confirmed. Immediately after removing the repositories, a message was displayed explaining that the action was taken by the GitHub Staff "due to a violation of GitHub's terms of service." A Microsoft representative responded to user concerns in a community discussion, stating that the repositories were disabled because of "an internal management issue" and that an investigation was underway. The most significant immediate effect of this incident was disabling access to 'Azure/functions-action,' a GitHub Action used by many developers to deploy Azure Functions. Workflows referencing it stopped working because there was nothing in the specified repository to resolve the action, causing an outage and confusion. At the time of writing, though, all repositories have been restored and are considered clean and safe to use. However, the OpenSourceMalware platform notes that the 'durabletask'package on the Python Package Index (PyPI), had been compromised in May when the threat actor pushed three malicious versions (1.4.1, 1.4.2, 1.4.3). In a statement for BleepingComputer, a Microsoft spokesperson explained that the company "temporarily removed some repositories as we investigated potential malicious content." While all repositories have been restored, Microsoft "notified a small number of customers who may have pulled down content from the affected repositories." "We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels," a Microsoft spokesperson told us. Security engineer Adnan Khan said that the June 5th incident affecting Microsoft repositories appeared to be part of the Miasma malware campaign that infected 32 of Red Hat's npm packages. In a report this week, software supply chain management company Cloudsmith concluded that Microsoft's Azure environment on GitHub and the 'durabletask' repository were compromised via Miasma, which targeted AI coding tools (e.g., Claude Code, Gemini CLI, VS Code, Cursor). The hacker pivoted from Red Hat's npm packages to Microsoft's resources on GitHub. "The worm initially struck the @redhat-cloud-services npm namespace by compromising a Red Hat employee's GitHub account. By pushing unreviewed orphan commits to internal repos, the threat actors injected a minimal workflow that requested GitHub's OIDC tokens," the researchers said. Supply-chain attacks continue to target open-source ecosystems. Yesterday, application security company Socket reported that it spotted a new Shai-Hulud attack over the weekend that relied on a new delivery mechanism. StepSecurity published a separate report focusing on a Shai-Hulud attack impacting Pythagora-io/gpt-pilot, a popular open-source AI developer tool with more than 33,700 GitHub stars and over 3,500 forks. Software developers should consider locking their project dependencies, adding multi-day time delays to fetch new package updates, and testing new builds on isolated environments.

Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues

Microsoft on Monday confirmed that it temporarily removed some GitHub repositories in response to a recent security incident that led to 73 of its open-source projects being compromised to inject an information stealer into the code. "Our priority is to protect customers and the broader ecosystem," a Microsoft spokesperson told The Hacker News via email. "We temporarily removed some repositories as we investigated potential malicious content. Some of these repos have been restored after review, while others may remain offline while work continues." "As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels." The development comes days after the Windows maker cut off access to dozens of its open-source projects hosted on GitHub following reports that they were compromised as part of an ongoing software supply chain campaign codenamed Miasma. Among the projects that were infected included "durabletask," a Python package that was first compromised last month by a cybercrime group known as TeamPCP to deliver an information stealer designed for Linux systems. Further analysis of the Miasma payload embedded into the projects has uncovered capabilities to trigger automatic code execution when an unsuspecting developer opens the repository in an artificial intelligence (AI)-powered coding tool or integrated development environment (IDE). The findings are the latest in a sustained software supply chain campaign that has breached widely used open-source packages to plant malware capable of propagating to downstream users and beyond. This includes a newer PyPI wave tied to the broader Mini Shai-Hulud, Miasma, and Hades waves, infecting an additional set of 23 packages, including some bioinformatics-related libraries used in graph learning, patient phenotyping, phenopacket tooling, and scientific workflows. Some of the other packages include a set of AI and Model Context Protocol (MCP)-themed packages and typosquat-style packages such as rsquests, tlask, and rlask that impersonate requests and flask, and a langchain-core-mcp. The complete list of legitimate and bait packages is below - * dreamgen 1.8.1 * embiggen 0.11.97 * ensmallen 0.8.101 * gpsea 0.9.14 * instructor-mcp 1.15.2, 1.15.3 * langchain-core-mcp 1.4.2, 1.4.3 * mem8 6.0.1 * mflux-streamlit 0.0.3, 0.0.4 * openai-mcp 2.41.1, 2.41.2 * orchestr8-platform 3.3.2 * phenopacket-store-toolkit 0.1.7 * ppkt2synergy 0.1.1 * pyphetools 0.9.120 * ray-mcp-server 0.2.1 * rlask 3.1.7 * rsquests 2.34.3 * tiktoken-mcp 0.13.1, 0.13.2 * tlask 3.1.4 The new cluster employs a new payload delivery mechanism, per Socket, indicating that the threat actors are adapting and actively experimenting with different methods as part of what has been described as a "fast-moving supply chain campaign." While the earlier packages used executable .pth startup hooks to bootstrap Bun and run an obfuscated JavaScript stealer, the latest set incorporates different approaches - * Trojanized native .abi3.so extensions that execute the stealer when the package is imported * A .pth startup hook loader variant that searches sys.path for the "_index.js" payload instead of bundling the payload in the same wheel "That last variant separates the loader from the JavaScript payload, which could make the package look less obviously malicious during static analysis," Socket told The Hacker News. Regardless of the method used, the end result is the same. Once executed, the malware targets developer workstations and CI/CD environments, harvesting high-value secrets and exfiltrating them to a public GitHub repository. A key capability of the bioinformatics package is its ability to derail and bypass AI-powered scanners and analyst copilots by means of an adversarial prompt injection embedded within a JavaScript block comment, a feature previously detailed by StepSecurity. "The Hades branch of the Shai-Hulud and Miasma activity is best understood as a fast-moving supply chain campaign, not a single package incident," Socket researcher Kirill Boychenko said. "The langchain-core-mcp variant goes further by installing a .pth loader that searches sys.path for _index.js, meaning the loader and payload do not need to live in the same wheel."

Self-replicating Miasma worm hits 73 Microsoft GitHub repositories in supply chain attack

The Miasma worm hit 73 Microsoft GitHub repos across Azure and Microsoft orgs. It plants payloads that trigger in AI coding tools like Claude Code and Cursor. The self-replicating Miasma worm has reached Microsoft's own GitHub repositories. GitHub disabled 73 repositories across four Microsoft organisations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, after the worm planted malicious code that harvests developer credentials. It is the most significant escalation yet in an ongoing supply chain attack campaign that has been spreading across the open-source ecosystem for weeks. The attack exploited previously compromised credentials. Last month, the threat group TeamPCP infected the "durabletask" PyPI package hosted in Microsoft's Azure organisation to deliver an information stealer. Security researcher Paul McCarty pointed out that the same repository is at the centre of this month's takedown. "When the repo at the root of last month's compromise is the hub of this month's takedown, that is not a coincidence, that is the same wound reopening," McCarty said. "Whoever held those credentials in May plausibly never fully lost them." What makes this campaign particularly dangerous is how the payload detonates. The attacker planted a 4.3 MB payload runner wired to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script. A developer only needs to clone an affected repo and open it in an AI coding agent for the malware to run. Once triggered, the Bun-based worm harvests credentials for AWS, Azure, GCP, Kubernetes, npm, and GitHub. It then uses those stolen tokens to commit itself into any repository the victim can write to, spreading autonomously across the ecosystem. Among the disabled repositories are critical Azure infrastructure projects: azure-search-openai-demo, durabletask and its .NET, Go, JS, and MSSQL implementations, functions-container-action, llm-fine-tuning, and windows-driver-docs. OpenSourceMalware reported that GitHub contained the attack within 105 seconds, but the scope of affected downstream users remains unclear. Miasma is a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. The original Shai-Hulud appeared in September 2025 as the first self-replicating malware observed in the npm ecosystem. It has since mutated across npm and PyPI, previously compromising 32 Red Hat packages and hitting TanStack, Mistral AI, and UiPath packages. The worm has also begun skipping the npm registry entirely. SafeDep found it pushing malicious code directly to source repositories, including "icflorescu/mantine-datatable" and four related projects. As of writing, more than 80 public repositories on GitHub carry the Miasma campaign's naming pattern. The fundamental problem is not a vulnerability in npm or GitHub. "It exploits the trust model those platforms are built on," security firm FalconFeeds.io said in its analysis. "The assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe." The worm compromises the key and the maintainer, then acts exactly like a legitimate publisher. From the registry's perspective, every malicious publish event looks like a routine update. The targeting of AI coding agents is a notable evolution. Developers increasingly rely on tools like Claude Code and Cursor to work with unfamiliar repositories. A worm that activates when an AI agent opens a project exploits a new behaviour pattern that did not exist a year ago. It is supply chain malware designed for the age of AI-assisted development.

Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack

Microsoft's GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, per OpenSourceMalware. The development has GitHub to disable access to those repositories. "Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service," reads the message when attempting to access the "Azure/azure-functions-host" repository. "If you are the owner of the repository, you may reach out to GitHub Support for more information." According to OpenSourceMalware, the incident impacts the following repositories - * azure-search-openai-demo-purviewdatasecurity * Connectors-NET-LSP * Connectors-NET-SDK * durabletask * durabletask-dotnet * durabletask-go * durabletask-js * durabletask-mssql * functions-container-action * homebrew-functions * llm-fine-tuning * windows-driver-docs What's notable about the latest campaign is the re-compromise of the "durabletask" PyPI package, which was infected by TeamPCP last month to deliver an information stealer on Linux systems. "A month later, not only is Azure/durabletask gone - so is every sibling repo in the Durable Task ecosystem, sitting one org over in Microsoft: the .NET, Go, Java, JS, MSSQL, Netherite, and protobuf implementations, plus the Durable Functions monitor," security researcher Paul McCarty (aka 6mile) said. "When the repo at the root of last month's compromise is the hub of this month's takedown, that is not a coincidence - that is the same wound reopening. Whoever held those credentials in May plausibly never fully lost them." Miasma is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. It has since continued to mutate and refine its tactics, even as it has infected more packages over the past couple of days, using various descriptions of the public repositories containing the stolen secrets - * Miasma: The Spreading Blight * Miasma : The Spreading Blight * Miasma - The Spreading Blight * Hades - The End for the Damned As of writing, there are 13 repositories with the description "Hades - The End for the Damned" and 82 repositories with the remaining three naming patterns. Miasma has also been observed skipping the npm registry entirely, with the threat actors pushing malicious code directly to "icflorescu/mantine-datatable" and four related repositories: "mantine-contextmenu," "next-server-actions-parallel," "mantine-datatable-v6," and "mantine-contextmenu-v6." "The commit added no dependencies. It planted a 4.3 MB payload runner and wired it to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script," SafeDep said. "The attack detonates when a developer clones one of the affected repos and opens it in an AI coding agent. The dropper is the same staged Bun loader, here repurposed for GitHub source-repo persistence rather than registry poisoning." These software supply chain attacks have exposed the underlying weaknesses in the trust model that forms the basis of software delivery in open-source ecosystems, making it one of the most significant and sustained campaigns observed to date. What separates the activity from other incidents is its ability to exponentially propagate across the ecosystem by compromising downstream users and repeating the same cycle. "The worm's genius and the reason conventional defences largely failed is that it operates entirely within legitimate channels. It does not exploit a vulnerability in npm or GitHub," FalconFeeds.io said. "It exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe." "Shai-Hulud compromises the key and the maintainer, then proceeds to act exactly as a legitimate publisher would. From the registry's perspective, every malicious publish event is indistinguishable from a routine update."

IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks

Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively. According to JFrog, the information stealer "scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and answers to its operator over Tor." The stealer also uses the stolen credentials as a propagation mechanism, drawing similarities to the infamous Shai-Hulud worm. The new malware has been codenamed IronWorm by the software supply chain security company. By publishing itself to the npm registry in the form of trojanized packages, the approach results in a self-replicating attack. The malicious activity has been traced back to a compromised npm account named "asteroiddao," which has been found to publish package versions containing the Rust ELF binary that's executed via a preinstall hook. The malware targets 86 environment variables, various files that may contain credentials associated with OpenAI Codex, Anthropic, Claude, Google Gemini, Cursor, Amazon Web Services (AWS), Docker, Kubernetes, and npm, vault configurations, and Exodus cryptocurrency wallet files. An unusual quirk worth mentioning here is that the stealer includes logic for the wallet data-stealing component to skip the threat actor's own wallet. As of writing, the cryptocurrency wallet is empty, and no transactions have been recorded. JFrog described IronWorm as "a supply chain weapon built to find secrets, modify projects, and inject malicious code to self-propagate across GitHub." The malicious commits, which span nine GitHub organizations, have been introduced under the author name "claude" ("[email protected]") in an attempt to mimic Anthropic's artificial intelligence (AI) chatbot. "The malicious npm package was published by asteroiddao; asteroiddao corresponds to the asteroid-dao GitHub organization; and ocrybit is a member of that organization, as well as related Arweave organizations," the company explained. "The malware stole ocrybit's credentials and used them to push commits across repositories it could access. Those commits planted malware into other packages, which could then be published and infect the next developer. And then it vanished." What's more, the malicious payload is equipped to swap existing GitHub Actions workflows for one that's capable of harvesting the secrets, writing it to a harmless-looking file, and uploading it as a build artifact, thereby eliminating the need for an external command-and-control (C2) server. The malware's capabilities don't end there. In CI environments, it abuses npm's Trusted Publishing flow to obtain short-lived tokens to push poisoned versions containing the malware to the registry. It also incorporates an eBPF payload that functions as a kernel-level rootkit to hide processes and thwart analysis. However, on systems where kernel lockdown is enabled, the process-hiding tricks fail, and the supposed processes and sockets become visible again. Miasma Worm Surfaces Again The disclosure comes as Endor Labs and StepSecurity shed light on a distinct supply chain attack campaign that has compromised 57 npm packages across more than 286 malicious versions to serve a new variant of the Miasma worm, which previously infected 32 packages across more than 90 versions under the @redhat-cloud-services npm namespace within 72 seconds earlier this week. Some of the affected packages are listed below - * ai-sdk-ollama * autotel * awaitly * effect-analyzer * eslint-plugin-awaitly * executable-stories-cypress * http-uploader-dev * mountly * node-env-resolver * node-env-resolver-aws The data stolen via the malware is exfiltrated to a now-inaccessible GitHub account "liuende501," which acted as an exfiltration point. As many as 236 repositories were staged in the account. It's presently not known if GitHub removed the account or if the threat actor themselves deleted it. "This wave uses a technique we are calling 'Phantom Gyp': instead of the preinstall or postinstall lifecycle scripts that security tools typically monitor, the attacker abuses a 157-byte binding.gyp file to trigger code execution during npm install, bypassing most install-script security checks entirely," StepSecurity researcher Sai Likhith said. Like in the case of Miasma, the attack chain is engineered to download and install the Bun JavaScript runtime, using it to load a comprehensive credential harvester that's tailored to extract secrets from AWS, Google Cloud, Microsoft Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyGems, PyPI, SSH, password managers, and AI assistants. "The most novel and concerning capability of this variant is its targeting of AI coding assistant configurations," the company said. "The malware injects persistent backdoor files into project repositories that execute whenever a developer opens the project in their AI-assisted IDE." Developers who have installed an affected version are advised to rotate credentials, turn off install scripts and native rebuilds by default, and ensure packages are pinned with integrity hashes. In an update shared this week, Red Hat revealed that the root cause behind the Miasma supply chain incident was likely a compromised GitHub account that was used to push unauthorized commits to repositories in the RedHatInsights GitHub organization. "The payload operated across Linux, macOS, and Windows by dynamically downloading the correct Bun runtime for each platform, although Linux CI/CD runners appeared to be the primary target," Microsoft said of the campaign. "On developer systems, the malware stole Secure Shell (SSH) keys, command-line interface (CLI) credentials, browser and wallet data, while in CI/CD environments it scraped GitHub Actions runner memory for secrets, escalated privileges using passwordless sudo, and republished poisoned packages with forged Supply-chain Levels for Software Artifacts (SLSA) provenance to continue downstream propagation." The Miasma payload is assessed to be a derivative of the Shai-Hulud worm put to use by TeamPCP in recent campaigns, introducing largely "cosmetic" changes while keeping the underlying functionality similar. Despite the overlap in tradecraft, the attribution for the latest set of attacks remains unclear, given that TeamPCP has publicly released the Shai-Hulud code. OX Security has since uncovered additional stages in the Miasma attack chain, including searches for GitHub commits containing the string "firedalazer" (replacing the previously flagged "FIRESCALE" dead drop) to retrieve another payload, a JavaScript file ("index.js") that contains an alternative version of the Shai-Hulud worm, effectively transforming the infection into a perpetual loop. In this case, the stolen data is exfiltrated to public GitHub repositories, each carrying the description "Miasma: The Spreading Blight" or "Miasma - The Spreading Blight." It's important to note here that the previous version reads "Miasma: The Spreading Blight," which does not have a space between Miasma and the ":" symbol. There are currently 82 such repositories created on user accounts "0tabek16" and "windy629." "The threat actor can dynamically change the 'firedalazer' commits in GitHub, making new versions of the malware, more adaptive and more sophisticated," security researchers Moshe Siman Tov Bustan and Nir Zadok said. "This turns GitHub into something more dangerous than a dead drop. It's an adaptive C2 - one that piggybacks on a trusted, widely whitelisted platform, making network-level detection nearly useless. Most security tools aren't configured to treat GitHub traffic as suspicious. The threat actor knows this."

Microsoft Open Source Security Breach, Dozens of GitHub Repos Pulled After Malware Discovery

Microsoft has taken several GitHub projects offline after hackers slipped malware into open-source code. The attack may have exposed passwords and other sensitive data used by developers working on AI projects. Microsoft is exposed to a new security risk as hackers may have managed to place malware inside some of its open-source projects on GitHub. These codes are designed to steal passwords and login credentials from popular developers who use AI coding tools. The data breach has drawn major attention since many developers trust and use open-source software every day. When a trusted project is hit by a malware attack, the problem becomes far more complicated. Cybersecurity researchers have already reported the weaknesses to Microsoft, and since then, the tech giant has been quick enough to remove affected repositories. Microsoft is also reviewing the extent of the attack.

Hackers exploit Microsoft open-source software to steal AI developers passwords

The company is investigating the breach and has alerted a small number of impacted users. Microsoft has temporarily taken down dozens of its open-source projects from GitHub after discovering a security incident that may have exposed users to password-stealing malware. The move comes after researchers flagged suspicious code in several Microsoft-owned repositories, many of which are linked to Azure services and tools used by software developers working with AI coding platforms. The malware was reportedly capable of collecting passwords and other sensitive credentials from users who downloaded and opened the affected tools. While the full scale of the incident remains unclear, Microsoft has confirmed that it is investigating the matter and has already contacted a small number of potentially affected customers. The incident first came to light through reports from security firm Cloudsmith and malware tracking platform OpenSourceMalware. Researchers said hackers appeared to have inserted malicious code into projects hosted on GitHub, the software hosting platform owned by Microsoft. Also read: OpenAI files for IPO, announces few hours after Apple WWDC concluded: All details Several of the affected repositories are connected to Azure and developer tools that work alongside popular AI coding applications such as Claude Code, Gemini CLI and Visual Studio Code. According to researchers, users who downloaded and ran the compromised tools risked having passwords and other credentials stolen. As per a report by 404 Media, Microsoft confirmed that they had temporarily removed a number of repositories while reviewing potentially harmful content. The company said some projects have already been restored after inspection, while others remain offline as the investigation continues. A spokesperson from Microsoft also told TechCrunch that ' As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels.' Reports suggest that at least 70 Microsoft repositories were disabled on GitHub during the response effort. Visitors attempting to access the projects were shown a notice stating that access had been disabled due to a violation of GitHub's terms of service. Also read: Did Apple just tease its foldable iPhone in iOS 27? Here is what we know so far The breach has raised concerns about software supply chain attacks, in which hackers target trusted code projects to reach a larger group of users. Such attacks can have a wide impact because developers often use open source software as part of their daily work. The latest incident also follows an earlier compromise involving Microsoft's Durable Task project in May. Researchers believe the new case may be linked to that breach, though it remains unclear whether the attackers regained access or carried out a separate intrusion. Microsoft has not yet shared further technical details.