Attack on Microsoft’s GitHub Ecosystem
A significant supply chain attack has compromised 73 repositories across four Microsoft GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The incidents are linked to the Miasma worm, a self-replicating malware campaign that continues to evolve. GitHub has disabled access to the affected repositories, displaying messages about terms of service violations to visitors.
Among the impacted repositories are several critical Microsoft projects, including azure-search-openai-demo, multiple durabletask implementations (for .NET, Go, Java, JavaScript, and MSSQL), functions-container-action, and windows-driver-docs. The breadth of the compromise suggests the attackers gained access to credentials that allowed them to spread across interconnected projects.
Continuous Evolution and Re-Compromise
A particularly concerning aspect of this campaign is the re-compromise of the durabletask PyPI package. This package had been infected just one month earlier by a group known as TeamPCP to deliver an information stealer on Linux systems. Security researcher Paul McCarty noted that when the repository at the root of last month’s compromise becomes the hub of this month’s takedown, it indicates the same security gap remains open.
The Miasma worm is believed to be a variant of the Mini Shai-Hulud worm that TeamPCP released publicly in mid-May 2026. Since then, it has continued to mutate and refine its tactics, infecting additional packages and creating new public repositories containing stolen secrets under descriptions like “Miasma: The Spreading Blight.” The incident highlights the persistent threat of credential theft in software supply chain attacks.
Source: The Hacker News
