The Hacker News web signal

GitHub Disables 73 Microsoft Repos After Miasma Worm

5 sources tracking this story
microsoft cybersecurity agents coding tools supply-chain-attack ai-security

Key insights

  • GitHub's automated abuse detection cleared all 73 repos in 105 seconds across two discrete waves, but stolen credentials had already sat in active stealer logs for 48 days before weaponization.
  • Microsoft's security team documented four obfuscation layers — ROT-XX Caesar cipher, AES-128-GCM, Obfuscator.io string arrays, and PBKDF2-HMAC-SHA-256 at 200,000 iterations — plus SLSA provenance forgery to sign malicious packages with authentic-looking attestations.
  • The worm changed delivery mechanism three times across the campaign: npm preinstall hooks, Python .pth startup files, and finally IDE configuration files executed on repo open.

Why this matters

The Miasma/Shai-Hulud campaign against 73 Microsoft GitHub repos is documented across independent forensic, first-party, and ecosystem-monitoring sources as a deliberate multi-stage operation that moved laterally across PyPI, npm, and GitHub configuration files before reaching Azure/functions-action. Microsoft's own security team traced the Red Hat npm compromise that seeded the TeamPCP account used for the GitHub escalation, while Socket tracked the parallel PyPI wave adapting the same worm to Python startup hooks — establishing that three distinct package ecosystems were compromised in sequence, not in parallel accidents. StepSecurity's two-wave takedown timestamp (39 repos in 38 seconds, then 34 repos in 11 seconds) confirms automated detection fired at machine speed, yet credential logs show a 48-day staging window preceding that response. The attack's use of IDE-triggered repository config files means the delivery vector is now repository-open, not package-install, extending exposure to any developer whose editor processed an affected repo.

Summary

GitHub pulled 73 repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs after the Miasma worm spread via authenticated maintainer accounts and valid keys. Miasma's 4.3 MB payload fires automatically in Claude Code, Gemini CLI, Cursor, VS Code, and npm scripts when a developer opens an infected repo. Essentially: (TeamPCP, Microsoft) the May 2026 durabletask PyPI attacker is back. Researcher Paul McCarty: "the same wound reopening." - Stolen secrets published to 82 repos tagged "Miasma: The Spreading Blight" and 13 under "Hades - The End for the Damned." - Named repos include azure-search-openai-demo-purviewdatasecurity, llm-fine-tuning, and durabletask (dotnet/Go/JS/MSSQL). Payload delivery via trusted developer tools marks an escalation from registry-level poisoning.

Potential risks and opportunities

Risks

  • Developers who opened any of the 73 disabled repositories in Claude Code, Gemini CLI, Cursor, or VS Code may have active credential exposure without awareness.
  • TeamPCP's confirmed re-access to durabletask after initial May 2026 cleanup suggests other PyPI packages in the same ecosystem could be re-compromised within weeks.
  • Stolen secrets published across 82 'Miasma: The Spreading Blight' repositories may still be live and accessible, representing an ongoing exfiltration risk for affected organizations.

Opportunities

  • Supply chain security vendors offering continuous repo-integrity scanning are positioned to capture new budget from Azure and MicrosoftDocs teams directly citing this incident.
  • Developer tool vendors behind Claude Code, Gemini CLI, Cursor, and VS Code face immediate demand for workspace-level sandboxing that prevents auto-executing payloads on repo open.
  • GitHub can use this incident to accelerate mandatory signing-key rotation policies and anomalous-push detection for large organizations like Azure and MicrosoftDocs on its platform.

What we don't know yet

  • Whether the 82 repos tagged 'Miasma: The Spreading Blight' have been fully audited and taken down by GitHub, or whether harvested secrets remain publicly accessible.
  • What specific secrets were extracted from the 73 disabled repositories and whether any developer tokens or API keys obtained remain active.
  • How TeamPCP maintained access to the durabletask ecosystem between the May 2026 and June 2026 compromises without triggering any detection or alerts.

What others are reporting

Coverage cluster as of 24h after publish

  1. Microsoft Security Blog Read →

    Microsoft's own team traced the upstream Red Hat npm compromise that seeded TeamPCP's account; documents ROT-XX, AES-128-GCM, and SLSA provenance forgery used to evade detection.

    The malware downloaded the Bun JavaScript runtime and launched a secondary payload to harvest credentials from GitHub, npm, AWS, Azure, GCP, Kubernetes, and developer systems.
  2. StepSecurity Read →

    Granular two-wave takedown timestamps (39 repos in 38s, then 34 in 11s) and direct evidence connecting the June 5 GitHub incident to the May 19 PyPI attack via the same compromised contributor account.

    The attack planted configuration files that execute a credential-harvesting payload when a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code.
  3. Rescana Read →

    MITRE ATT&CK mapping (T1078, T1059.007, T1562.001) with explicit victim scoping across Azure, Microsoft, and MicrosoftDocs orgs; links incident to TeamPCP with medium-confidence attribution.

    The worm harvested credentials for cloud platforms and developer tools, then used those credentials to propagate itself.
  4. Socket Read →

    Documents the worm adapting from npm install hooks to Python .pth startup files across 19 bioinformatics packages, establishing the PyPI wave as a discrete escalation step before the GitHub compromise.

    37 malicious PyPI wheels that abuse Python startup hooks to launch a Bun-powered credential stealer

Originally reported by The Hacker News

Read the original article →

Original headline: Miasma Worm Escalates to Microsoft GitHub — 73 Azure and SDK Repos Disabled After AI Coding Tool Credential Harvesting