Cyber Incident Victim: Microsoft
Date:
Jun 2026
Location:
United States of America
Summary
A self‑propagating supply chain worm infiltrated 73 of Microsoft's GitHub repositories by using previously compromised contributor credentials to push a commit that added configuration files for AI coding agents such as Claude Code, Gemini CLI, Cursor and VS Code. When developers opened the repositories in those tools, the files triggered an obfuscated JavaScript payload that harvested credentials for cloud services, developer platforms and npm, which the worm then used to push itself into additional repositories. The malicious commit did not alter source code but relied on the trust model of editor and AI agent startup events, allowing the credential‑stealing malware to bypass typical package‑manager defenses. GitHub’s automated defenses disabled the affected repositories within a couple of minutes, disrupting CI/CD pipelines that depended on the Azure/functions‑action GitHub Action and causing widespread workflow failures. Analysis linked the worm to the Mini Shai‑Hulud family and noted reuse of the same compromised account from a prior PyPI package attack attributed to the threat group TeamPCP.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 16, 2026, the core modules of the Miasma worm payload were authored and the command‑and‑control domain git-service[.]com was registered. Three days later, on May 19, 2026, attackers used a compromised publishing token to upload three malicious versions of Microsoft's official durabletask Python package to PyPI, where they remained for approximately 35 minutes before Microsoft confirmed the compromise and removed the affected versions. On June 3, 2026, a second wave of Miasma‑themed dead‑drop repositories began to appear. The following day, June 5, 2026, the same compromised contributor account was used to push a malicious commit (hash 5f456b8) to the Azure/durabletask repository; the commit was backdated to 2020, contained only configuration files and a 4.3–4.6 MB obfuscated JavaScript payload, and included a [skip ci] flag to evade automated CI/CD detection. Between 16:00:50 and 16:02:35 UTC on June 5, GitHub automatically disabled 73 repositories across the Azure, Azure‑Samples, Microsoft and MicrosoftDocs organizations in two waves lasting a total of 105 seconds.
The disabled repositories included notable projects such as azure-search-openai-demo-purviewdatasecurity, Connectors-NET-LSP, durabletask and its language‑specific implementations, functions-container-action, llm-fine-tuning and windows-driver-docs. The malicious commit added configuration files for AI coding agents—Claude Code, Gemini CLI, Cursor and VS Code—as well as an npm test script, which triggered execution of the payload stored in .github/setup.js when a developer opened the repository in those tools. Upon execution, the worm harvested credentials for AWS, Azure, GCP, Kubernetes, npm, GitHub and over 90 developer tool configurations, then used those credentials to commit itself into any repository accessible by the compromised accounts, enabling rapid, autonomous propagation. Anyone who pulled an affected repository and opened it in one of the affected AI coding tools or IDEs had credentials harvested instantly, and the stolen tokens fed the next wave of attacks, causing the blast radius to compound rather than remain fixed. The disruption of Azure/functions-action caused CI/CD pipelines worldwide that relied on that GitHub Action to stop resolving, breaking workflows for organizations that depended on Azure Functions deployment.
In response, Microsoft confirmed the compromise of the durabletask PyPI package and removed the malicious versions from the repository. Security researchers from Open Source Malware and StepSecurity published technical analysis linking the Miasma worm to the Mini Shai‑Hulud worm previously associated with the threat group TeamPCP, noting that direct attribution remains at medium confidence due to a lack of unique technical artifacts. Public disclosure and detailed technical reports appeared on June 5‑6, 2026, describing the attack’s use of compromised contributor credentials, the backdated commit, the configuration‑file‑based payload and the impact on CI/CD systems. The extent of downstream impact and the exact number of developer accounts compromised remain undetermined.