Microsoft’s GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign.
The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, per OpenSourceMalware. The development has GitHub to disable access to those repositories.
“Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service,” reads the message when attempting to access the “Azure/azure-functions-host” repository. “If you are the owner of the repository, you may reach out to GitHub Support for more information.”
According to OpenSourceMalware, some of the repositories impacted by the incident are listed below –
- azure-search-openai-demo-purviewdatasecurity
- Connectors-NET-LSP
- Connectors-NET-SDK
- durabletask
- durabletask-dotnet
- durabletask-go
- durabletask-js
- durabletask-mssql
- functions-container-action
- homebrew-functions
- llm-fine-tuning
- windows-driver-docs
What’s notable about the latest campaign is the re-compromise of the “durabletask” PyPI package, which was infected by TeamPCP last month to deliver an information stealer on Linux systems.
“A month later, not only is Azure/durabletask gone – so is every sibling repo in the Durable Task ecosystem, sitting one org over in Microsoft: the .NET, Go, Java, JS, MSSQL, Netherite, and protobuf implementations, plus the Durable Functions monitor,” security researcher Paul McCarty (aka 6mile) said.
“When the repo at the root of last month’s compromise is the hub of this month’s takedown, that is not a coincidence – that is the same wound reopening. Whoever held those credentials in May plausibly never fully lost them.”
Miasma is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. It has since continued to mutate and refine its tactics, even as it has infected more packages over the past couple of days, using various descriptions for the newly-created public repositories containing the stolen secrets –
- Miasma: The Spreading Blight
- Miasma : The Spreading Blight
- Miasma – The Spreading Blight
- Hades – The End for the Damned
As of writing, there are 13 repositories with the description “Hades – The End for the Damned” and 82 repositories with the remaining three naming patterns.
Miasma has also been observed skipping the npm registry entirely, with the threat actors pushing malicious code directly to “icflorescu/mantine-datatable” and four related repositories: “mantine-contextmenu,” “next-server-actions-parallel,” “mantine-datatable-v6,” and “mantine-contextmenu-v6.”
“The commit added no dependencies. It planted a 4.3 MB payload runner and wired it to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script,” SafeDep said. “The attack…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
