The Miasma self-replicating supply chain worm has compromised 73 repositories across four of Microsoft’s GitHub organisations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — in the latest escalation of a campaign that has been running since early May. GitHub has disabled access to affected repositories. Among the compromised assets are core components of the Azure Durable Task ecosystem: durabletask, durabletask-dotnet, durabletask-go, durabletask-js, durabletask-mssql, plus Azure Functions and Azure AI search integration packages.
Context
Miasma is a direct descendant of the Mini Shai-Hulud worm first attributed to TeamPCP (UNC6780) in May 2026. After compromising hundreds of npm packages and breaching GitHub, OpenAI, and Mistral internal systems, TeamPCP publicly released the worm’s source code on BreachForums in mid-May — explicitly inviting copycat use. The Miasma variant represents exactly the proliferation risk that release created: a refined, mutating version of the same tooling, now operating semi-independently of the original actor.
The re-compromise of the Azure/durabletask repository is the clearest signal that Microsoft did not fully remediate May’s breach. Security researcher Paul McCarty (aka 6mile) noted: “When the repo at the root of last month’s compromise is the hub of this month’s takedown, that is not a coincidence — that is the same wound reopening. Whoever held those credentials in May plausibly never fully lost them.”
What Happened Today
The Miasma worm reached Microsoft’s repositories by exploiting either retained credentials from the May campaign or newly acquired access through compromised downstream maintainers. GitHub disabled access across 73 affected repositories, leaving teams pulling those packages with broken dependencies and blocked development pipelines.
Separately, Miasma has also been pushing malicious commits directly to popular developer repositories outside the npm registry. In the mantine-datatable repository and four related packages, a 4.3 MB payload runner was embedded and wired to execute through five specific entry points: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script. The attack detonates automatically when a developer clones the affected repository and opens it in an AI coding agent — no further interaction is required.
As of writing, 82 repositories across GitHub carry Miasma’s characteristic naming patterns (“Miasma: The Spreading Blight” and “Hades - The End for the Damned”), indicating active spread continues.
Sector Implications
The Azure Durable Task framework is used for long-running workflow orchestration in enterprise applications across financial services, healthcare logistics, government systems, and communications platforms. Organisations that pull Azure SDK packages in CI/CD pipelines without integrity verification are exposed to backdoored builds if they pulled from affected repositories before GitHub intervened. The payload’s specific targeting of AI coding assistants (Claude Code, Cursor, Gemini CLI) means that development environments — not just production builds — are a primary infection vector.
The fundamental problem, as FalconFeeds.io assessed, is structural: “The worm operates entirely within legitimate channels. It exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe.”
Recommended Actions
Immediate:
- Audit CI/CD pipelines for any packages pulled from the affected repositories between 1 June and 6 June 2026. Treat any build artefacts from this window as potentially compromised
- Check for the presence of unexpected binary files (particularly large runners around 4 MB) in recently cloned repositories
- Review
scripts.logand equivalent build logs for unexpected execution of staged loaders or Bun-based runners - Developers using Claude Code, Cursor, VS Code, or Gemini CLI who cloned repositories in the past week should treat their development machines as potentially exposed and rotate all credentials stored locally
Structural:
- Enforce package integrity verification (SHA checksums, signatures) in all CI pipelines — do not rely solely on package name and version matching
- Evaluate whether your organisation’s developer tooling security policy covers AI coding agent permissions, including file system access and automatic script execution
- Treat credentials associated with any package that was part of the May 2026 Mini Shai-Hulud campaign as compromised until proven otherwise; this compromise confirms they were not fully rotated