Microsoft Shuts 73 GitHub Repos After Miasma Worm Compromise

Supply chain attacks are not new, but a breach reported by 404 Media on June 8, 2026 shows how AI coding agents have opened a new attack surface. Microsoft shut down more than 70 of its own GitHub repositories after hackers planted malware designed to harvest credentials from developers using tools like Claude Code and Gemini CLI.

The attack, part of a self-replicating campaign known as the Miasma worm, hit 73 Microsoft repositories across four GitHub organizations in a 105-second sweep on June 5. A malicious commit was pushed to the Azure/durabletask repository using a previously compromised contributor account. That commit introduced configuration files wired to execute a credential-harvesting payload when the repository was opened in Claude Code, Gemini CLI, Cursor, or VS Code. The payload targeted a broad range of secrets: cloud keys from AWS, GCP, and Azure, GitHub Actions secrets pulled from runner process memory, and local password stores including 1Password, gopass, and pass.

The foothold traced back to May 2026. The Miasma worm is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026, with this iteration adding dedicated Azure and GCP credential collectors to earlier strains that went after AWS and GitHub. The PyPI package durabletask -- Microsoft's Azure Durable Task SDK, downloaded around 417,000 times per month -- had already been compromised, with three malicious versions (tagged 1.4.1, 1.4.2, and 1.4.3) injected within 35 minutes using stolen GitHub Actions secrets. The story was also covered by TechCrunch.

What the reporting does not yet give you is how many credentials were actually harvested or whether any reached production cloud systems. The attack infrastructure reportedly ties to a broader Miasma campaign that has infected more than 113 GitHub repositories across dozens of accounts, so this breach is one node in a larger ongoing operation rather than an isolated incident.

For practitioners, the mechanism here is specific and worth logging: AI coding tools that auto-execute repository configuration files turned a routine workflow into an execution vector. Vendors building these agents now have a concrete, named incident to justify adding repository trust and sandboxing controls before the next variant arrives.