Miasma Worm Spreads to 73 Microsoft GitHub Repos, Forcing Takedowns

The Miasma supply chain worm has compromised 73 Microsoft repositories across four GitHub organizations, forcing GitHub to disable access and raising questions about persistent credential exposure in open-source infrastructure.

GitHub staff locked down affected repositories with notices stating access was "disabled due to a violation of GitHub's terms of service." The takedowns hit repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations—including high-profile projects like azure-search-openai-demo and multiple durabletask variants.

Reinfection of Previously Compromised Package

The durabletask ecosystem stands out because it was already compromised last month. TeamPCP initially infected the durabletask PyPI package in May 2026, and now the same package family is at the center of the Microsoft repository takedowns.

Security researcher Paul McCarty noted the pattern: "When the repo at the root of last month's compromise is the hub of this month's takedown, that is not a coincidence—that is the same wound reopening."

The reinfection suggests either persistent credential access that wasn't fully revoked, or that the attackers maintained access through a vector that incident responders missed. Either possibility has serious implications for other organizations that believed they'd contained previous Miasma infections.

We covered the initial Miasma attack on Red Hat npm packages earlier this month when 32 packages under the @redhat-cloud-services namespace were compromised. The Microsoft compromise demonstrates the worm's spreading capability—exactly what the malware was designed to do.

How Miasma Operates

Miasma is a self-replicating credential-harvesting worm built on the publicly released Mini Shai-Hulud code base. Once it infects a repository with publishing access to package registries, it:

1. Harvests developer credentials including SSH keys and API tokens
2. Steals cloud identities from GCP and Azure environments
3. Exploits CI/CD pipelines to publish poisoned packages with valid provenance
4. Propagates downstream through dependency chains

The worm operates entirely within legitimate channels—using valid OIDC tokens, proper GitHub Actions workflows, and authentic SLSA provenance attestations. This makes detection extremely difficult because the malicious activity looks identical to legitimate publishing operations.

Affected Repositories

The 73 disabled repositories span critical Microsoft infrastructure:

• azure-search-openai-demo - Popular reference implementation for Azure OpenAI
• durabletask variants (.NET, Go, JS, MSSQL) - Core workflow orchestration libraries
• functions-container-action - GitHub Action for Azure Functions
• windows-driver-docs - Windows driver documentation

The breadth of affected repositories suggests attackers had access to credentials with organization-wide scope, or that the worm successfully propagated between repositories through shared dependencies.

Supply Chain Trust Under Pressure

The Miasma campaign exploits a fundamental tension in open-source software: the trust model assumes that authenticated publishing actions are legitimate. When attackers obtain valid credentials and follow proper processes, distinguishing their activity from real developer work becomes nearly impossible.

GitHub's repository disabling is a blunt response, but necessary when the integrity of the publishing chain can't be verified. Organizations depending on these repositories face difficult decisions about whether to trust previously downloaded versions or treat everything as potentially compromised.

For organizations evaluating their supply chain security posture, the VS Code OAuth token theft vulnerability from last week shows another vector for credential compromise. Attackers are increasingly targeting the tools developers use rather than the code itself.

Recommendations

Organizations using affected Microsoft packages should:

1. Audit installations for any versions published during the compromise window
2. Pin to known-good versions verified against pre-compromise hashes
3. Monitor for suspicious behavior in applications using these dependencies
4. Assume credential exposure if your CI/CD has dependencies on affected packages

The broader lesson applies to all open-source consumers: supply chain verification needs to go beyond checking signatures. Provenance attestations prove who signed a package, not whether that signing authority was compromised.

Why This Matters

The Microsoft compromise represents Miasma's largest confirmed impact to date. When a self-replicating worm reaches repositories at this scale, the downstream effect through dependency chains could touch thousands of projects that never directly used the compromised packages.

GitHub's quick action in disabling repositories limits further propagation, but damage assessment will take time. The reinfection of durabletask is particularly concerning—it suggests that credential rotation after the first compromise was incomplete, or that attackers maintained persistence that incident responders didn't identify.

For the open-source ecosystem, Miasma is a stress test of trust infrastructure. The worm demonstrates that determined attackers can compromise publishing channels in ways that defeat standard verification mechanisms. Solving this problem will require new approaches to supply chain verification that don't rely solely on credential-based trust.

Microsoft has not yet issued a public statement on the compromise. We'll update this article when more information becomes available about the scope of impact and remediation status.