On June 5, **Microsoft** took decisive action, removing 73 repositories from its **Azure**, **microsoft**, **Azure-Samples**, and **MicrosoftDocs** organizations on **GitHub**. This incident, contained within a mere 105 seconds, was prompted by the discovery of "potential malicious content" within these repositories. ### The Miasma/Shai-Hulud Connection Security researchers quickly linked the compromise to an ongoing supply chain campaign known as **Miasma** or **Shai-Hulud**. This sophisticated attack vector targets open-source ecosystems, with a particular focus on stealing developer credentials. Concerns were raised by the **OpenSourceMalware** platform, which noted a prior compromise in May involving the 'durabletask' repository within Microsoft's Azure organization. This suggests a potential incomplete cleanup that allowed the threat actor to return. ### Immediate Impact and Resolution During the incident, GitHub staff displayed a message indicating the repositories were removed due to a "violation of GitHub's terms of service." A Microsoft representative later clarified that the disabling was due to an "internal management issue" and that an investigation was underway. The most notable immediate consequence was the disruption of continuous integration pipelines, specifically impacting the 'Azure/functions-action' GitHub Action. Developers relying on this action to deploy **Azure Functions** experienced outages and confusion as workflows failed. Fortunately, all affected repositories have since been restored and are deemed clean and safe for use. Microsoft has also notified a small number of customers who may have pulled content from the compromised repositories, promising further communication if additional action is required. ### A Broader Campaign The June 5th incident is not isolated. The Miasma campaign has previously impacted **Red Hat**, compromising 32 of its npm packages. **Cloudsmith**, a software supply chain management company, concluded in a recent report that Microsoft's Azure environment on GitHub and the 'durabletask' repository were targeted via Miasma. The attack reportedly leveraged a compromised Red Hat employee's GitHub account to inject malicious workflows, requesting **GitHub's OIDC tokens**. This allowed the attacker to pivot from Red Hat's npm packages to Microsoft's GitHub resources. The **Shai-Hulud** attack, a variant of this campaign, was also recently spotted by **Socket**, targeting 19 science-focused **PyPI** packages through a new delivery mechanism. **StepSecurity** also reported a Shai-Hulud attack impacting **Pythagora-io/gpt-pilot**, a popular open-source AI developer tool. ### Mitigating Supply Chain Risks In light of these ongoing threats, software developers are strongly advised to enhance their security postures. Key recommendations include: * **Locking project dependencies:** Pinning dependencies to specific versions can prevent unexpected malicious updates. * **Implementing multi-day time delays:** Introducing delays for fetching new package updates allows for more thorough review. * **Testing new builds in isolated environments:** Sandboxing new builds can prevent malicious code from impacting production systems. These measures are crucial for protecting against the evolving landscape of supply chain attacks targeting open-source ecosystems.