Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents

On June 5, 2026, the Miasma worm campaign compromised Microsoft's Azure GitHub organizations by pushing a malicious commit to the Azure/durabletask repository using a compromised contributor account. GitHub disabled 73 repositories across four Microsoft organizations after configuration files were planted to harvest credentials when developers opened repositories in AI coding agents like Claude Code, Gemini CLI, Cursor, or VS Code.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
73 Microsoft GitHub repositories across four organizations disabled; potential exposure to developers using AI coding agents (Claude Code, Gemini CLI, Cursor, VS Code).
Ecosystems
AI agents & skills
Attack vectors
Malicious commitAccount takeover
Affected entities
  • Azure/durabletaskPrimary repository targeted with malicious commit planting credential-harvesting payload
  • Azure Functions ActionPart of 73 disabled repositories
  • Microsoft GitHub organizations73 repositories across four Microsoft organizations disabled

On June 5, 2026, the Miasma worm campaign targeted Microsoft's Azure GitHub organizations in a supply chain attack. A previously compromised contributor account was used to push a malicious commit to the Azure/durabletask repository.

The attack planted configuration files designed to execute a credential-harvesting payload when developers opened the affected repository in popular AI-assisted coding tools: Claude Code, Gemini CLI, Cursor, or VS Code. This vector targets modern development workflows that integrate with AI coding assistants.

In response, GitHub disabled 73 repositories across four Microsoft GitHub organizations to contain the spread. The attack demonstrates the worm's persistence and adaptability in targeting both infrastructure repositories and AI coding agent integrations.

Remediation

  • Audit all repositories in affected Microsoft GitHub organizations for unauthorized commits and configuration files
  • Review access logs for the compromised contributor account and revoke credentials
  • Implement commit signing requirements and enhance branch protection policies
  • Scan developer machines that may have cloned or interacted with affected repositories
  • Monitor for credential exfiltration from accounts that accessed the poisoned repositories
  • Review and update secrets/API keys that may have been harvested
  • Deploy additional detection for suspicious configuration files in CI/CD workflows

Sources

  1. Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents · StepSecurity

Cite this entry

"Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 5, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositorie-rl1iv8

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. containedcritical

    Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets

    On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote git tags across multiple Composer packages to distribute malicious payloads that exfiltrate CI secrets. The attack affected laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes, targeting developers who ran composer update or fresh installations.

    OtherAccount takeoverMalicious commit
  2. activehigh

    Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign

    A coordinated supply chain campaign dubbed "prt-scan" involved a single attacker controlling six GitHub accounts to exploit the pull_request_target GitHub Actions trigger. The campaign represents a follow-up to the earlier hackerbot-claw campaign, targeting CI/CD workflows with AI-powered attack methods.

    OtherMalicious commitAccount takeover
  3. activehigh

    Axios NPM Distribution Compromised in Supply Chain Attack

    A compromised axios maintainer account led to malicious npm releases affecting projects with active dependencies on the package. The incident involved unauthorized releases propagated through the npm distribution network.

    npmAccount takeoverMalicious commit
  4. containedcritical

    xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning

    The official Xygeni GitHub Action (xygeni-action) was compromised on March 3, 2026, via stolen maintainer credentials. An attacker injected a C2 reverse shell backdoor and moved the mutable v5 tag to the malicious commit, silently affecting all workflows referencing @v5. The v5 tag remained poisoned as of March 9, 2026.

    OtherAccount takeoverMalicious commit