{ "@context": "https://schema.org", "@type": "NewsArticle", "@id": "https://hostdir.net/blog/miasma-supply-chain-worm-strikes-73-microsoft-github-repos-disrupts-ci-cd-pipelines", "headline": "Miasma Supply Chain Worm Strikes 73 Microsoft GitHub Repos, Disrupts CI/CD Pipelines", "alternativeHeadline": "Repeated compromise of a contributor account suggests incomplete credential rotation after May PyPI incident.", "url": "https://hostdir.net/blog/miasma-supply-chain-worm-strikes-73-microsoft-github-repos-disrupts-ci-cd-pipelines", "datePublished": "2026-06-11T18:45:00+00:00", "dateModified": "2026-06-11T18:50:31+00:00", "author": { "@type": "Organization", "name": "HostDir News Desk", "url": "https://hostdir.net" }, "publisher": { "@type": "Organization", "name": "HostDir", "url": "https://hostdir.net", "logo": { "@type": "ImageObject", "url": "https://hostdir.net/assets/logo.svg" } }, "image": "https://hostdir.net/uploads/news/f538a3082de8c810.webp", "description": "A variant of the Shai-Hulud worm, dubbed Miasma, hit 73 of Microsoft's GitHub repositories on June 5, taking down Azure Actions and breaking CI/CD workflows worldwide. Security researchers link the attack to incomplete credential rotation from a prior Microsoft PyPI compromise.", "articleSection": "Security", "articleBody": "On June 5, a variant of the Shai-Hulud worm known as Miasma struck 73 Microsoft GitHub repositories, primarily in the Azure organization, triggering automated takedowns for terms-of-service violations and disrupting continuous integration and delivery pipelines globally. Security research platform Open Source Malware first reported the incident, which took less than two minutes to unfold.GitHub disabled the affected repositories, including azure/functions-action, the official action for deploying Azure Functions. When that action went offline, every workflow referencing azure/functions-action@v1 stopped resolving, breaking CI/CD pipelines for organizations worldwide that depended on it.Two Separate Miasma Incidents Against MicrosoftSecurity firm StepSecurity connected the June 5 repository attack to a prior Miasma compromise of a Microsoft PyPI package on May 19. On that date, three poisoned versions of Microsoft's durabletask Python SDK were published to PyPI, remaining online for roughly 35 minutes before Microsoft removed them. The poisoned package, normally downloaded 400,000 times per month, contained a modular cloud intrusion framework called rope.pyz that steals credentials and secrets and can deploy a destructive wiper in certain regions.The attacker used legitimate publishing credentials for an official Microsoft package, bypassing the build pipeline entirely, according to StepSecurity CTO Ashish Kurmi.A malicious commit in the GitHub repos came from the same contributor account used in the PyPI package compromise.StepSecurity previously attributed the PyPI attack to a group tracked as TeamPCP, citing overlapping infrastructure with earlier Mini Shai-Hulud campaigns.Kurmi told Dark Reading that the repeated abuse of the contributor account raises three possibilities: the account credentials were not fully rotated after May 19; the account was recompromised by the Miasma worm's propagation loop; or the attackers spoofed commit author metadata using the Git Data API. He assessed the most likely scenario is a combination of incomplete credential rotation and reinfection via the worm's own propagation loop.Credential Hygiene and the Supply Chain FalloutThe incident underscores the difficulty of fully containing a worm that can jump between accounts and platforms. Microsoft has not confirmed whether the credential used in May was fully revoked. A company spokesperson told The Hacker News on June 8 that \"our priority is to protect customers and the broader ecosystem,\" adding that some repos were restored while others remained offline as the probe continued.StepSecurity's analysis suggests the worm's design enables it to move laterally, making incomplete credential rotation a dangerous vulnerability. Once an account is compromised, it becomes a candidate for reinfection. The Miasma variant appears to exploit that pattern, chaining together multiple attack surfaces across PyPI and GitHub.Going forward, organizations that rely on Microsoft's open-source repositories for CI/CD workflows should audit their dependencies and consider pinning action versions, though the azure/functions-action case shows that even pinned references can break when a repository is disabled entirely. Microsoft has not published a full timeline for restoring all affected repos or a root-cause analysis of the credential gaps.", "mainEntityOfPage": "https://hostdir.net/blog/miasma-supply-chain-worm-strikes-73-microsoft-github-repos-disrupts-ci-cd-pipelines", "citation": [ { "@type": "CreativeWork", "name": "Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories", "url": "https://www.darkreading.com/application-security/miasma-supply-chain-worm-73-microsoft-repositories" }, { "@type": "CreativeWork", "name": "Miasma worms its way onto GitHub as attack kit goes open source", "url": "https://www.theregister.com/cyber-crime/2026/06/09/miasma-supply-chain-attack-toolkit-goes-public-on-github/5253074" }, { "@type": "CreativeWork", "name": "Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues", "url": "https://thehackernews.com/2026/06/microsoft-restores-some-github-repos.html" } ], "_hostdir": { "kind": "news-article", "slug": "miasma-supply-chain-worm-strikes-73-microsoft-github-repos-disrupts-ci-cd-pipelines", "canonical": "https://hostdir.net/blog/miasma-supply-chain-worm-strikes-73-microsoft-github-repos-disrupts-ci-cd-pipelines", "category": "security", "sources": [ { "url": "https://www.darkreading.com/application-security/miasma-supply-chain-worm-73-microsoft-repositories", "title": "Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories", "source_name": "Dark Reading", "source_slug": "darkreading" }, { "url": "https://www.theregister.com/cyber-crime/2026/06/09/miasma-supply-chain-attack-toolkit-goes-public-on-github/5253074", "title": "Miasma worms its way onto GitHub as attack kit goes open source", "source_name": "The Register", "source_slug": "register-headlines" }, { "url": "https://thehackernews.com/2026/06/microsoft-restores-some-github-repos.html", "title": "Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues", "source_name": "The Hacker News", "source_slug": "hacker-news" } ], "fact_checks": [ { "claim": "73 Microsoft GitHub repositories were taken offline on June 5 due to a Miasma worm attack.", "source_url": "https://www.darkreading.com/application-security/miasma-supply-chain-worm-73-microsoft-repositories", "verdict": "verified" }, { "claim": "The attack disrupted CI/CD pipelines globally by disabling the azure/functions-action GitHub Action.", "source_url": "https://www.darkreading.com/application-security/miasma-supply-chain-worm-73-microsoft-repositories", "verdict": "verified" }, { "claim": "The same contributor account compromised in the May 19 PyPI attack was used in the June 5 GitHub attack.", "source_url": "https://thehackernews.com/2026/06/microsoft-restores-some-github-repos.html", "verdict": "reported" }, { "claim": "StepSecurity assessed that incomplete credential rotation and reinfection via the worm's propagation loop were likely factors.", "source_url": "https://www.darkreading.com/application-security/miasma-supply-chain-worm-73-microsoft-repositories", "verdict": "reported" } ], "attribution": "HostDir News Desk — https://hostdir.net/blog/miasma-supply-chain-worm-strikes-73-microsoft-github-repos-disrupts-ci-cd-pipelines" } }