Miasma Worm Shuts Down 73 Microsoft Azure GitHub Repositories in Coordinated Supply Chain Attack

The compromised packages contained a preinstall script that executed automatically upon installation, downloading a 28 KB credential-stealing payload. This malware, identified as a new variant of the Mini Shai-Hulud family dubbed "Miasma" and attributed to the threat actor group TeamPCP (though copycats could not be ruled out), acted as a self-propagating worm .

June 5: The Attack Reaches Microsoft Azure

The stolen credentials from the Red Hat phase were weaponized again on June 5, 2026. Using a previously compromised contributor account, attackers pushed a single malicious commit to the Azure/durabletask repository . This repository had already been the victim of a PyPI package compromise on May 19, and the same contributor account was used in both attacks, highlighting a failure to fully revoke all access after the initial breach .

The malicious commit contained configuration files that acted as a trap for AI coding agents. When a developer opened the repository in AI-powered tools like Claude Code, Gemini CLI, Cursor, or VS Code, the files would be read automatically, injecting commands that executed a credential-harvesting payload .

GitHub's response was immediate and unprecedented. In an automated sweep, it disabled 73 repositories across four Microsoft GitHub organizations :

• Azure (including the entire Azure Functions Action repository)
• Azure-Samples
• Microsoft
• MicrosoftDocs

Affected repositories displayed a stark gray notice: "This repository has been disabled. Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service" .

Attack Vectors: How the Worm Operated

The Miasma campaign used a multi-pronged attack strategy that combined classic supply chain poisoning with novel self-propagation and AI-targeting techniques.

• npm Registry Poisoning: The initial vector used backdoored packages with malicious preinstall scripts that delivered its payload the moment a developer ran

  npm install

  .
• Worm Self-Propagation: After infecting a developer's machine, the 28 KB payload harvested GitHub tokens, npm tokens, and other credentials. It then used these to automatically commit malicious code to any other repositories the victim could publish to, spreading the infection without human intervention .
• Credential Harvesting: The worm was an aggressive data stealer, targeting credentials from AWS, Azure, GCP, Kubernetes, HashiCorp Vault, over 90 developer tool configurations, SSH keys, environment variables, crypto wallets, and AI-tool persistence data .
• Trusted Publishing Bypass: By compromising an employee's GitHub account, attackers could bypass GitHub's OIDC-based trusted publishing mechanism, making the malicious packages appear legitimate with valid provenance attestations .
• AI Coding Agent Injection: In the Microsoft phase, the worm planted malicious instructions in configuration files specifically targeted at AI coding assistants. This turns developer tools into an unwitting attack vector, automatically executing attacker-controlled workflows .

Remediation and Response

The remediation required a synchronized effort from multiple major tech and security organizations.

• On June 5, GitHub disabled 73 Microsoft repositories in a 105-second automatic sweep to contain the damage .
• On June 1, Red Hat published advisory RHSB-2026-006 and revoked all compromised npm tokens and publishing credentials, removing the backdoored packages from the registry .
• On June 2, Microsoft Threat Intelligence published a detailed analysis of the attack chain, providing detection guidance for the broader community .
• Researchers strongly advised all affected developers to immediately rotate all exposed CI secrets, cloud credentials, SSH keys, and npm tokens, audit CI/CD pipelines for unauthorized commits, and monitor repositories for the worm's signature string: "Miasma – The Spreading Blight" .

Wider Threats: The IronWorm Campaign and Copycat Risk

The Miasma attack did not happen in isolation. On June 5, researchers from Endor Labs and StepSecurity disclosed a separate but parallel campaign, dubbed IronWorm, which had compromised an even larger set of 57 npm packages across more than 286 malicious versions to deliver a new Miasma worm variant . This demonstrated that the threat actors were aggressively scaling their operations and experimenting with new techniques, such as abusing binding.gyp files for code execution .

The Cloud Security Alliance (CSA) noted a critical long-term risk: while the campaign was attributed to TeamPCP, the underlying codebase was publicly released. This meant that copycat actors with the same or modified tools could not be ruled out, ensuring the Miasma attack pattern would continue to be a threat .