The self-replicating Miasma supply chain attack has impacted Microsoft repositories on GitHub — according to researchers, 73 repositories in four organizations have been compromised: Azure, Azure-Samples, Microsoft and MicrosoftDocs. GitHub has blocked access to the affected repositories. The incident highlights a fundamental vulnerability in the trust model of open-source ecosystems: the worm acts on behalf of legitimate maintainers, and platforms are unable to distinguish a malicious publication from a routine update. All organizations using the affected packages and repositories must immediately audit their dependencies.
Scale of the compromise
According to an OpenSourceMalware report, the incident has affected repositories from Microsoft’s critically important projects. When attempting to access the Azure/azure-functions-host repository, a message is shown stating that GitHub Staff has blocked it for violating the terms of use. Confirmed affected repositories include:
- azure-search-openai-demo-purviewdatasecurity
- Connectors-NET-LSP and Connectors-NET-SDK
- durabletask and its implementations: durabletask-dotnet, durabletask-go, durabletask-js, durabletask-mssql
- functions-container-action and homebrew-functions
- llm-fine-tuning
- windows-driver-docs
Of particular note is the repeated compromise of the durabletask package on PyPI. According to researchers, this package had already been infected a month earlier to deliver an infostealer to Linux systems. Security researcher Paul McCarty noted that together with the main Azure/durabletask repository, all related repositories in the Durable Task ecosystem were removed — implementations for .NET, Go, Java, JS, MSSQL, Netherite and protobuf, as well as the Durable Functions monitor.
Attack mechanism and worm evolution
Researchers estimate that Miasma is a variant of the Mini Shai-Hulud worm, which the TeamPCP group publicly released in mid-May 2026. Since its publication, the worm has continued mutating and refining its tactics.
Malicious repositories created during its propagation use characteristic descriptions for identification:
- “Miasma: The Spreading Blight” (and variations with different separators)
- “Hades – The End for the Damned”
At the time of analysis, GitHub contained 13 repositories with the “Hades” description and 82 repositories with “Miasma” variations.
Direct injection into source code
A fundamentally new element was the bypassing of the npm registry. According to SafeDep, the attackers injected malicious code directly into repositories, including icflorescu/mantine-datatable and four related projects: mantine-contextmenu, next-server-actions-parallel, mantine-datatable-v6 and mantine-contextmenu-v6.
The malicious commit did not add dependencies. Instead, it placed a 4.3 MB payload and configured it for automatic execution via five development tools: Claude Code, Gemini CLI, Cursor, VS Code and an npm test script. The attack is triggered when a developer clones an infected repository and opens it in an AI coding agent. SafeDep describes the loader as the same staged Bun-based loader, repurposed to establish persistence in original GitHub repositories instead of poisoning package registries.
Why traditional defenses failed
The key characteristic of Miasma that sets this campaign apart from other supply chain attacks is its exploitation of the trust model rather than technical vulnerabilities. As FalconFeeds.io analysts note, the worm operates strictly within legitimate channels: it does not exploit vulnerabilities in npm or GitHub. It compromises signing keys and maintainer accounts, and then acts as a legitimate publisher. From the registry’s perspective, each malicious publication event is indistinguishable from a routine update.
This explains the worm’s ability for exponential spread: every compromised developer becomes a new infection vector for all projects to which they have access. According to OX Security, the campaign continues to infect new packages.
Impact assessment
Those at greatest risk are:
- Developers using Azure services — key repositories for Azure Functions, Durable Task and connectors are affected
- Users of the durabletask package on PyPI — the repeated compromise suggests attackers may have retained access
- Developers using AI coding agents — the new vector via Claude Code, Gemini CLI, Cursor and VS Code configurations creates risk from simply cloning an infected repository
- Projects with dependencies on mantine-datatable and related libraries
Important caveat: the stated figure of 73 affected repositories is based on data from a single research source. At the time of publication, no official statement from Microsoft or GitHub on the full scope of the incident has been found. Attribution to TeamPCP is also based on researchers’ assessments rather than confirmed primary data.
Security recommendations
- Dependency audit: check whether your projects use any of the affected repositories and packages listed above. Pay particular attention to the durabletask package on PyPI and the Durable Task ecosystem.
- AI agent configuration review: if you use Claude Code, Gemini CLI, Cursor or VS Code with AI assistant features, inspect configuration files in recently cloned repositories for suspicious auto-run scripts.
- Secret rotation: if your projects interacted with the affected repositories, rotate all tokens, API keys and credentials that might have been accessible in the development environment.
- Repository monitoring: track the appearance of repositories with descriptions “Miasma: The Spreading Blight” and “Hades – The End for the Damned” in your projects’ dependencies.
- Commit verification: enforce mandatory commit signing (GPG/SSH) and review all changes, even from trusted maintainers. Configure alerts for the addition of large binary files to repositories.
- Restrict automatic execution: disable automatic script execution when cloning repositories. Inspect the contents of npm scripts (preinstall, postinstall, test) before running them.
The Miasma campaign highlights a systemic problem: the trust model of open ecosystems, where an authenticated maintainer is assumed safe by default, cannot withstand attacks involving credential compromise. The top-priority action for development teams is an immediate audit of dependencies on the affected Microsoft repositories and PyPI/npm packages, rotation of all related secrets, and the adoption of policies that forbid automatic code execution when cloning external repositories.
