A Worm That Keeps Coming Back
The Miasma worm has reached Microsoft. GitHub has disabled access to 73 repositories spread across four Microsoft-affiliated organizations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — after the self-replicating supply chain campaign infected them. Attempts to load the “Azure/azure-functions-host” repository now return a message that reads: “Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service. If you are the owner of the repository, you may reach out to GitHub Support for more information.”
What makes this incident harder to dismiss as isolated is the specific repository sitting at its center. The “durabletask” package — the same one that was infected by the group known as TeamPCP last month to deliver an information stealer on Linux systems — is again involved. Not only is Azure/durabletask gone, but so is every sibling repository in the Durable Task ecosystem: the .NET, Go, Java, JavaScript, MSSQL, Netherite, and protobuf implementations, along with the Durable Functions monitor.
The Credential Problem Nobody Solved in May
Security researcher Paul McCarty, who goes by the handle 6mile, put the connection plainly. When the repository at the root of last month’s compromise becomes the hub of this month’s takedown, that is not coincidence — it is the same wound reopening. McCarty’s assessment is direct: whoever held those credentials in May plausibly never fully lost them.
This matters because it changes what kind of failure is being examined. The May compromise was described and documented. Packages were pulled. Repositories were flagged. And yet the same entry point appears to have remained viable long enough for a second campaign to launch from it. The interval between intrusions was roughly four weeks.
What Miasma Actually Is
Miasma is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP released publicly in mid-May 2026. Since then it has continued to mutate, refining its methods while spreading to new packages. Among the repositories it has created, researchers have identified two distinct naming patterns currently in circulation. As of the most recent count, 13 repositories carry the description “Hades - The End for the Damned,” while 82 carry one of three variations on “Miasma: The Spreading Blight” — formatted slightly differently across instances as “Miasma: The Spreading Blight,” “Miasma : The Spreading Blight,” and “Miasma - The Spreading Blight.”
The worm has also demonstrated an ability to bypass the npm registry entirely. Rather than publishing malicious packages through the registry in the conventional sense, Miasma’s operators pushed malicious code directly into source repositories. The affected accounts include “icflorescu/mantine-datatable” and four related repositories: “mantine-contextmenu,” “next-server-actions-parallel,” “mantine-datatable-v6,” and “mantine-contextmenu-v6.” No new dependencies were added to the commit. Instead, a 4.3 MB payload runner was planted and wired to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script.
The execution model here is worth pausing on. The attack does not trigger when a package is installed from a registry. It detonates when a developer clones one of the affected repositories and opens it inside an AI coding agent. The dropper is described by researchers at SafeDep as a staged Bun loader — the same loader used in registry-based attacks, repurposed here for persistence directly at the GitHub source level.
Among the specific repositories confirmed impacted, OpenSourceMalware has listed: azure-search-openai-demo-purviewdatasecurity, Connectors-NET-LSP, Connectors-NET-SDK, durabletask, durabletask-dotnet, durabletask-go, durabletask-js, durabletask-mssql, functions-container-action, homebrew-functions, llm-fine-tuning, and windows-driver-docs.
Why Conventional Defenses Keep Failing
FalconFeeds.io identified the structural problem in straightforward terms: Miasma does not exploit a vulnerability in npm or GitHub. It exploits the trust model those platforms are built on — the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe to use.
That trust model was designed to solve the authentication problem, not the compromise problem. A valid signing key in the hands of an attacker is indistinguishable from a valid signing key in the hands of a legitimate maintainer, at least from the platform’s perspective. Shai-Hulud, from which Miasma descends, compromises the key itself — which means every verification mechanism downstream of that key continues to return green.
The propagation logic is what separates this campaign from more localized supply chain incidents. The worm spreads by infecting downstream users and then using their credentials and access to repeat the cycle. Each newly compromised developer or repository becomes a fresh infection point. The exponential math of that process is why 73 Microsoft repositories can fall in a single wave, and why the count of active Miasma repositories across the broader ecosystem sits at 95 and climbing.
What Developers Are Actually Facing
The direct developer risk is unusually high in this campaign. Most supply chain attacks target production pipelines, where a malicious package executes when software is built, deployed, or run by an end system. Miasma’s AI agent attack vector is different: it targets the development environment itself, activating the moment a developer opens a cloned repository in Claude Code, Cursor, or VS Code with the appropriate extensions running.
A developer working on a legitimate project, pulling a dependency from a compromised repository, and opening it in their standard toolchain becomes both a victim and an unwitting propagation node if their own credentials and repositories are subsequently harvested. The attack does not require them to install anything unusual, approve any unexpected prompts, or take any action outside their normal workflow.
There is no confirmed total count of downstream developer environments affected across the full campaign. The 95 currently identifiable repositories — 13 under the Hades description and 82 under the Miasma variants — represent the visible infrastructure. The number of developer machines that have already executed the 4.3 MB payload runner is not publicly known.
GitHub’s response has been to disable affected repositories on discovery. The access revocation message is now what most developers encounter when they attempt to load any of the 73 Microsoft-affiliated repositories. Whether the underlying credential access that enabled the initial compromise has been fully revoked or remains partially intact — as McCarty’s analysis suggests it may — is a question GitHub and Microsoft have not yet answered publicly.
