{"id":4278,"date":"2026-06-09T07:48:49","date_gmt":"2026-06-09T07:48:49","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/09\/github-takes-down-73-microsoft-repos-after-miasma-worm-attack\/"},"modified":"2026-06-09T07:48:49","modified_gmt":"2026-06-09T07:48:49","slug":"github-takes-down-73-microsoft-repos-after-miasma-worm-attack","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/09\/github-takes-down-73-microsoft-repos-after-miasma-worm-attack\/","title":{"rendered":"GitHub Takes Down 73 Microsoft Repos After Miasma Worm Attack"},"content":{"rendered":"
\"\"<\/div>\n

\"\"<\/p>\n

The software supply chain took another hit last week. On June 5, GitHub disabled 73 Microsoft-owned repositories after the Miasma worm infiltrated projects across four organizations: Azure, Azure-Samples, Microsoft and MicrosoftDocs.<\/span><\/p>\n

GitHub\u2019s automated systems triggered the takedown within 105 seconds of detecting the infection \u2014 a fast response, but the damage was already done. The attack began when a malicious commit was pushed to the Azure\/durabletask repository using a previously compromised contributor account. The commit planted configuration files that execute a credential-harvesting payload when a developer opens the repository in an IDE or AI coding tool.<\/span><\/p>\n

That last detail is worth paying attention to. The affected tools include Claude Code, Gemini CLI, Cursor and VS Code \u2014 tools that millions of developers use every day. Just opening a repository in a trusted environment was enough to trigger the payload.<\/span><\/p>\n

A Worm With History<\/span><\/h3>\n

Miasma is a variant of the Mini Shai-Hulud worm that a group called TeamPCP publicly released in mid-May 2026. The original Shai-Hulud appeared in September 2025 as the first self-replicating malware observed in the npm ecosystem. Since then, it has mutated across npm and PyPI, previously compromising 32 Red Hat packages and affecting packages from TanStack, Mistral AI and UiPath.<\/span><\/p>\n

This wasn\u2019t a random attack on Microsoft. The same compromised contributor account was used in both the May PyPI attack and the June GitHub incident, and the payloads are highly similar. Someone picked a target and came back for a second round.<\/span><\/p>\n

Among the disabled repositories are notable projects including azure-search-openai-demo, the durabletask library and its .NET, Go, Java, JavaScript and MSSQL implementations, functions-container-action, llm-fine-tuning, and windows-driver-docs. These aren\u2019t obscure side projects. They are infrastructure that development teams depend on.<\/span><\/p>\n

The Real Problem: The Developer Environment is Now an Attack Surface<\/span><\/h3>\n

Traditional supply chain attacks focus on packages \u2014 something gets installed, and the malicious code runs. Miasma works differently. The immediate blast radius was not cloud infrastructure itself, but the software factory around it: GitHub Actions workflows, Azure Functions tooling, Durable Task libraries, and developer machines.<\/span><\/p>\n

Instead of relying on traditional package installation hooks, Miasma targets the developer\u2019s local environment. It abuses legitimate auto-run, hook, and rule engines within modern IDEs and AI coding assistants to execute its payload.<\/span><\/p>\n

That is a meaningful shift. Mitch Ashley, VP and practice lead for software lifecycle engineering and AI-native software engineering at The Futurum Group<\/a>, put it plainly: \u201cSoftware\u2019s trust boundary has moved from the installed package to the act of opening code in a tool. Miasma weaponizes the auto-run and hook engines that make IDEs and AI coding agents productive, turning the developer environment into an execution surface.\u201d<\/span><\/p>\n

Ashley doesn\u2019t stop at the diagnosis. \u201cOpening a trusted repository is no longer a safe, read-only act. Engineering teams now have to govern what their coding tools may auto-execute and how far the credentials they hold can travel once one account is compromised.\u201d<\/span><\/p>\n

What Comes Next<\/span><\/h3>\n

The attack harvested credentials for cloud platforms and developer tools, then used them to propagate to additional repositories. That self-replicating behavior is what makes Miasma different from a typical compromise. It doesn\u2019t wait to be discovered \u2014 it moves.<\/span><\/p>\n

For security and DevOps teams, this incident reinforces something that has been true for a while but is harder to ignore now: the people writing your software are targets, not just the software itself. A compromised developer account or a stolen personal access token can do just as much damage as a vulnerability in production code.<\/span><\/p>\n

Microsoft and GitHub sit at the center of the developer trust economy. The Miasma attack is a reminder that even that center is now exposed to attacks that behave less like traditional intrusions and more like contagion.<\/span><\/p>\n

The containment in this case was fast \u2014 105 seconds is genuinely impressive. But the downstream impact on teams relying on those 73 repositories is still being assessed. And the bigger question isn\u2019t how quickly GitHub can respond. It\u2019s how organizations can build development pipelines that don\u2019t treat trusted sources as unconditionally safe.<\/span><\/p>\n

That work starts with visibility. Teams need to know what\u2019s in their dependency chains, who has access to their repositories, and what happens when code gets opened in an IDE. The Miasma attack showed that the threat model for software development has expanded. Security teams need to expand with it.<\/span><\/p>\n

Read More<\/a><\/p>\n

\u200b<\/p>","protected":false},"excerpt":{"rendered":"

The software supply chain took another hit last week. On June 5, GitHub disabled 73 Microsoft-owned repositories after the Miasma […]<\/p>\n","protected":false},"author":1,"featured_media":4279,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4278","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4278"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4278\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4279"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}