A large-scale software supply chain attack campaign known as “Miasma” has reportedly compromised dozens of Microsoft-related GitHub repositories, prompting GitHub to disable access to affected projects while investigations continue.
According to security researchers, the incident impacted 73 repositories spread across multiple Microsoft GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The event marks one of the most significant developments in an ongoing campaign that has increasingly targeted open-source software ecosystems.
GitHub Disables Affected Microsoft Repositories
Users attempting to access several impacted repositories are now met with a GitHub notice stating that access has been disabled due to violations of the platform’s terms of service.
Among the projects reportedly affected are several widely used development resources and frameworks, including:
- durabletask
- durabletask-dotnet
- durabletask-go
- durabletask-js
- durabletask-mssql
- functions-container-action
- homebrew-functions
- llm-fine-tuning
- windows-driver-docs
- Connectors-NET-SDK
- Connectors-NET-LSP
The breadth of the takedowns has raised concerns across the developer community, particularly because many of the repositories are linked to Microsoft’s cloud and serverless computing ecosystem.
Durable Task Ecosystem Appears to Be a Key Target
Security researchers have highlighted the re-compromise of the “durabletask” package as a significant development in the attack chain.
The package was previously infected during a separate incident last month involving the TeamPCP threat group, which used compromised packages to distribute information-stealing malware targeting Linux systems.
Researchers now believe that credentials compromised during the earlier breach may not have been fully revoked or secured, potentially allowing attackers to regain access and expand their reach into related repositories across the Durable Task ecosystem.
The affected projects reportedly include implementations written in .NET, JavaScript, Go, MSSQL, and other languages, suggesting a broad impact across multiple development environments.
Miasma: The Evolution of a Self-Replicating Supply Chain Worm
Miasma is believed to be a modified version of the Mini Shai-Hulud worm, a self-propagating malware framework publicly released by TeamPCP in May 2026.
Since its initial appearance, the malware has continued to evolve, adopting new propagation methods and targeting additional repositories across open-source platforms.
Researchers have identified numerous attacker-controlled repositories using names such as:
- Miasma: The Spreading Blight
- Miasma – The Spreading Blight
- Hades – The End for the Damned
These repositories are reportedly being used to store stolen credentials and facilitate further infections across developer environments.
Attackers Shift Beyond Package Registries
One of the more concerning developments is the attackers’ move beyond traditional package registries such as npm and PyPI.
Instead of relying solely on poisoned package updates, threat actors have reportedly pushed malicious code directly into GitHub repositories. Researchers identified several projects where attackers embedded payloads designed to execute automatically through popular developer tools and AI-assisted coding environments.
The malicious code reportedly integrates with platforms including:
- Claude Code
- Gemini CLI
- Cursor
- Visual Studio Code
- npm test workflows
This strategy allows the malware to activate when developers clone a repository and begin working with the codebase, creating new opportunities for infection without requiring package installation from a registry.
Why the Miasma Campaign Is So Effective
Unlike traditional cyberattacks that exploit software vulnerabilities, Miasma targets the trust relationships that underpin modern software development.
The campaign abuses legitimate maintainer accounts and valid publishing credentials to distribute malicious updates. Because the activity originates from authenticated developers and trusted repositories, security systems often struggle to distinguish malicious actions from routine software releases.
This makes the attack particularly dangerous for organizations that rely heavily on automated dependency management and continuous integration pipelines.
A Growing Threat to Open-Source Security
The Miasma campaign highlights the increasing risks facing open-source ecosystems and software supply chains.
As organizations continue to depend on third-party packages and community-maintained projects, attackers are focusing more attention on compromising trusted maintainers rather than exploiting software flaws directly.
Security experts warn that defending against these attacks requires stronger account protections, improved credential management, mandatory multi-factor authentication, code-signing verification, and continuous monitoring of repository activity.
The latest Microsoft-related compromises serve as another reminder that software supply chain security remains one of the most critical challenges facing the technology industry today.
