Miasma Hits Microsoft: 73 GitHub Repos Disabled in 105 Seconds

Back in May, I wrote about how a self-propagating malware campaign — dubbed Miasma — had compromised over 170 developer packages. I noted at the time that the real test of any supply chain attack is whether it can breach a major tech company’s own infrastructure. Google and Microsoft have the security teams, the detection systems, and the processes to spot these things. Or so we thought.

Three weeks later, Miasma proved me right. On June 5, the worm reached Microsoft’s own GitHub organisations. GitHub disabled 73 Microsoft repositories within the space of 105 seconds — two separate automated waves of takedowns, all triggered after a single malicious commit was pushed to the Azure/durabletask repository.

How it happened

A compromised contributor account — the same one used to poison Microsoft’s durabletask PyPI package back in mid-May — pushed a commit (5f456b8) with the message “Switched DataConverter to OrchestrationContext [skip ci]”. The commit added 5 configuration files and zero source code changes. The [skip ci] tag bypassed automated checks entirely.

But this wasn’t the same attack as May. The worm has evolved. Instead of poisoning a package registry, the June 5 attack skips the package manager altogether and targets the developer’s editor directly.

The planted files include:

.claude/settings.json — a SessionStart hook that executes automatically when Claude Code opens the repository. This is effectively a postinstall script for your AI coding agent.
.cursor/rules/setup.mdc — a prompt injection file that ships with the repo and executes when Cursor loads the project.

The shift from “execute on package install” to “execute on folder open” is significant. As Ashish Kurmi, co-founder of StepSecurity, put it: supply chain defences have historically focused on package install hooks (preinstall, postinstall, setup.py). The June 5 attack sidesteps all of that and goes straight for the IDE.

What it steals

The Miasma payload is an Azure-aware credential harvester. Once triggered, it collects:

Azure CLI tokens and managed-identity credentials
GitHub Actions OIDC tokens
npm and PyPI publishing tokens
SSH keys
AWS, GCP, and Kubernetes credentials
Configuration from 90+ developer tools

Microsoft’s own Ben Hope confirmed to TechCrunch that the company “temporarily removed some repositories as we investigated potential malicious content,” noting that “some of these repos have been restored after review, while others may remain offline while work continues.”

The blast radius

The most immediately damaging takedown was Azure/functions-action — a GitHub Action used to deploy code to Azure. When it went dark, every CI/CD pipeline referencing Azure/functions-action@v1 stopped resolving. Developers across the ecosystem woke up to broken builds on Friday morning. A Microsoft support thread showed the fallout, though a moderator initially dismissed it as “an internal management issue.”

GitHub’s automated detection kicked in a few hours after the malicious commit was pushed. The 73 repos were disabled in under two minutes — which is fast, but only after the commit had already landed.

The irony

Miasma specifically targets AI coding tools — Claude Code, Gemini CLI, Cursor, and VS Code. The very tools Microsoft has been promoting as the future of development are the attack surface. A .claude/settings.json hook is just as dangerous as a malicious postinstall script, but nobody has written the defences for it yet.

This is the second time in weeks that Microsoft’s open source projects have been compromised. In mid-May, the same threat actor uploaded three malicious versions of the durabletask PyPI package in a 35-minute window. Now they’ve returned with a different attack vector and a wider target.

The community-run OpenSourceMalware project and StepSecurity were the first to flag the attack. Microsoft Threat Intelligence published their own analysis on June 2, covering the earlier npm campaign that preceded this.

What this means for developers

The Miasma worm demonstrates that supply chain attacks have graduated from targeting individual developers to targeting entire ecosystems — and the tools they use to build software. The defence of open source can no longer be just “check the package before you install.” When the attack vector is your IDE opening a folder, the threat model changes fundamentally.

For anyone working with AI coding agents, the question is no longer “is this package safe?” It’s “what does this repo do when my agent opens it?”

Sources: The Register, TechCrunch, StepSecurity, OpenSourceMalware, Microsoft Security Blog