### Miasma's Renewed Assault on Microsoft GitHub **Microsoft**'s **GitHub** repositories have become the latest casualties of the ongoing **Miasma** self-replicating supply chain attack campaign. The sophisticated worm successfully infiltrated 73 repositories spread across four of **Microsoft**'s **GitHub** organizations: **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs**. According to analysis by **OpenSourceMalware**, the scale of the compromise prompted **GitHub** to disable access to these affected repositories. Attempts to access repositories like "[Azure/azure-functions-host](https://github.com/Azure/azure-functions-host)" now display a message indicating a violation of **GitHub**'s terms of service. Key repositories impacted by the incident include: * azure-search-openai-demo-purviewdatasecurity * Connectors-NET-LSP * Connectors-NET-SDK * durabletask * durabletask-dotnet * durabletask-go * durabletask-js * durabletask-mssql * functions-container-action * homebrew-functions * llm-fine-tuning * windows-driver-docs ### Persistent Threats: Re-Compromise and Expanding Reach This latest campaign is particularly concerning due to the re-compromise of the "durabletask" **PyPI** package. This package was previously infected by **TeamPCP** last month to distribute an information stealer on Linux systems. Security researcher **Paul McCarty** (aka 6mile) noted the extensive impact: "A month later, not only is Azure/durabletask gone - so is every sibling repo in the Durable Task ecosystem, sitting one org over in **Microsoft**: the .NET, Go, Java, JS, MSSQL, Netherite, and protobuf implementations, plus the Durable Functions monitor." **McCarty** added, "When the repo at the root of last month's compromise is the hub of this month's takedown, that is not a coincidence - that is the same wound reopening. Whoever held those credentials in May plausibly never fully lost them."  **Miasma** is believed to be a variant of the **Mini Shai-Hulud** worm, which **TeamPCP** publicly released in mid-May 2026, as reported by **Akamai**. Since its initial release, the worm has continuously mutated and refined its attack tactics, infecting more packages and creating new public repositories with stolen secrets under names like "Miasma: The Spreading Blight" and "Hades - The End for the Damned." ### Evolving Tactics: Direct Injection and AI Agent Exploitation In a concerning evolution of its methods, **Miasma** has been observed circumventing the **npm** registry entirely. Threat actors are directly pushing malicious code to repositories such as "icflorescu/mantine-datatable" and four related repositories: "mantine-contextmenu," "next-server-actions-parallel," "mantine-datatable-v6," and "mantine-contextmenu-v6." **SafeDep** highlighted this new approach, stating: "The commit added no dependencies. It planted a 4.3 MB payload runner and wired it to execute automatically through five developer tools: **Claude Code**, **Gemini CLI**, **Cursor**, **VS Code**, and the **npm** test script." **SafeDep** further elaborated on the attack vector: "The attack detonates when a developer clones one of the affected repos and opens it in an **AI coding agent**. The dropper is the same staged **Bun** loader, here repurposed for **GitHub** source-repo persistence rather than registry poisoning." ### The Deceptive Genius of Supply Chain Worms These ongoing software supply chain attacks expose fundamental weaknesses in the trust model underpinning open-source ecosystems. The **Miasma** campaign stands out for its ability to propagate exponentially by compromising downstream users and repeating the infection cycle. **FalconFeeds.io** aptly described the worm's sophistication: "The worm's genius and the reason conventional defences largely failed is that it operates entirely within legitimate channels. It does not exploit a vulnerability in **npm** or **GitHub**." "It exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe," **FalconFeeds.io** explained. "**Shai-Hulud** compromises the key and the maintainer, then proceeds to act exactly as a legitimate publisher would. From the registry's perspective, every malicious publish event is indistinguishable from a routine update." This incident serves as a stark reminder for IT security professionals and privacy-conscious users about the critical need for enhanced vigilance, robust supply chain security practices, and thorough vetting of all software components, even those from trusted sources.