TL;DR
The Miasma worm hit 73 Microsoft GitHub repos across Azure and Microsoft orgs. It plants payloads that trigger in AI coding tools like Claude Code and Cursor.
The self-replicating Miasma worm has reached Microsoft‘s own GitHub repositories. GitHub disabled 73 repositories across four Microsoft organisations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, after the worm planted malicious code that harvests developer credentials. It is the most significant escalation yet in an ongoing supply chain attack campaign that has been spreading across the open-source ecosystem for weeks.
The attack exploited previously compromised credentials. Last month, the threat group TeamPCP infected the “durabletask” PyPI package hosted in Microsoft’s Azure organisation to deliver an information stealer. Security researcher Paul McCarty pointed out that the same repository is at the centre of this month’s takedown.
“When the repo at the root of last month’s compromise is the hub of this month’s takedown, that is not a coincidence, that is the same wound reopening,” McCarty said. “Whoever held those credentials in May plausibly never fully lost them.”
What makes this campaign particularly dangerous is how the payload detonates. The attacker planted a 4.3 MB payload runner wired to execute automatically through five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script. A developer only needs to clone an affected repo and open it in an AI coding agent for the malware to run.
Once triggered, the Bun-based worm harvests credentials for AWS, Azure, GCP, Kubernetes, npm, and GitHub. It then uses those stolen tokens to commit itself into any repository the victim can write to, spreading autonomously across the ecosystem.
Among the disabled repositories are critical Azure infrastructure projects: azure-search-openai-demo, durabletask and its .NET, Go, JS, and MSSQL implementations, functions-container-action, llm-fine-tuning, and windows-driver-docs. OpenSourceMalware reported that GitHub contained the attack within 105 seconds, but the scope of affected downstream users remains unclear.
Miasma is a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. The original Shai-Hulud appeared in September 2025 as the first self-replicating malware observed in the npm ecosystem. It has since mutated across npm and PyPI, previously compromising 32 Red Hat packages and hitting TanStack, Mistral AI, and UiPath packages.
The worm has also begun skipping the npm registry entirely. SafeDep found it pushing malicious code directly to source repositories, including “icflorescu/mantine-datatable” and four related projects. As of writing, more than 80 public repositories on GitHub carry the Miasma campaign’s naming pattern.
The fundamental problem is not a vulnerability in npm or GitHub. “It exploits the trust model those platforms are built on,” security firm FalconFeeds.io said in its analysis. “The assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe.” The worm compromises the key and the maintainer, then acts exactly like a legitimate publisher. From the registry’s perspective, every malicious publish event looks like a routine update.
The targeting of AI coding agents is a notable evolution. Developers increasingly rely on tools like Claude Code and Cursor to work with unfamiliar repositories. A worm that activates when an AI agent opens a project exploits a new behaviour pattern that did not exist a year ago. It is supply chain malware designed for the age of AI-assisted development.
