NEWS

Miasma Worm Hit 73 Microsoft GitHub Repos in 105 Seconds

Miasma hit 73 Microsoft GitHub repos on June 5 with a payload that fires in Claude Code, Cursor, or VS Code the moment a developer opens the project.

Published

1 day ago

June 6, 2026

Nathan Brooks

GitHub pulled 73 Microsoft repositories offline in a 105-second sweep on June 5 after the Miasma self-replicating worm pushed a malicious commit into Azure’s durabletask package and spread its payload across four Microsoft GitHub organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The worm, a variant of the Mini Shai-Hulud supply chain malware first tracked in September 2025, harvests developer credentials for AWS, Azure, Google Cloud Platform (GCP, Google’s cloud computing service), Kubernetes, npm, and GitHub, then uses those stolen tokens to commit itself into every other repository the compromised account can write to.

Miasma fires the moment a developer opens a compromised repository in Claude Code, Cursor, Gemini CLI, Visual Studio Code, or an npm test runner. No install command needed. Cloning a repository and opening it in an AI coding agent is now enough to start a credential harvest.

The Same Wound, Twice

The durabletask repository wasn’t unfamiliar territory for TeamPCP. On May 19, the threat group had already infected Microsoft’s Azure Durable Task Python SDK on PyPI (the Python Package Index, the main registry for Python software) to deliver an information stealer targeting Linux systems. Upwind Security’s analysis of that incident identified three consecutive malicious releases, versions 1.4.1 through 1.4.3, each embedding a lightweight dropper in the package’s initialization file that downloaded a remote payload from attacker-controlled servers on import.

The June 5 entry point was the same package. SafeDep’s forensic review of the source-repository arm of the attack found the attacker used a stolen personal access token (PAT, a credential granting write access to GitHub repositories) belonging to a real Microsoft contributor. The commit timestamp was backdated to March 2020 to bury it in a dormant branch, and the commit message, “Switched DataConverter to OrchestrationContext [skip ci],” suppressed automated build checks.

Security researcher Paul McCarty, who tracks supply chain threats, reviewed the takedown list. He noted that every sibling repository in the Durable Task ecosystem had gone dark alongside durabletask itself, including the .NET, Go, Java, JavaScript, MSSQL, Netherite, and protobuf implementations and the Durable Functions monitor. “When the repo at the root of last month’s compromise is the hub of this month’s takedown, that is not a coincidence, that is the same wound reopening,” McCarty said. “Whoever held those credentials in May plausibly never fully lost them.”

Among the 73 disabled repositories are azure-search-openai-demo, functions-container-action, llm-fine-tuning, and windows-driver-docs. The entire Durable Task family, spread across both the Azure and Microsoft GitHub organizations, went offline inside the same 105-second window.

Miasma worm supply chain attack Microsoft GitHub repositories

How the Payload Detonates

The Trigger Surface

The malicious commit hid in plain sight: “chore: update dependencies [skip ci].” SafeDep recorded an identical 4.3 MB dropper landing in five icflorescu repositories inside a 49-second window, byte-identical across all five, with the [skip ci] tag preventing automated test runs from firing.

The commit contained six files. Five are triggers; the sixth is the payload. Each trigger hooks into the auto-run mechanism of a different developer tool:

.claude/setup.mjs for Claude Code, wired as a SessionStart hook that fires when the AI agent opens a new session
.cursor/rules/setup.mdc for Cursor, loaded automatically when the project opens
.gemini/settings.json for Gemini CLI, injecting settings at initialization
.vscode/tasks.json for Visual Studio Code, executing the payload as a workspace task
A poisoned entry in the npm test script, for developers running tests from the command line

A developer who clones an affected repository and opens it in any of those tools runs the payload without knowing it. Per SafeDep’s analysis, earlier wave variants targeted Claude Code and VS Code; the Miasma rebuild added Gemini CLI and Cursor as the attack surface expanded alongside AI coding tool adoption.

Credentials and Propagation

The payload runs under Bun, a fast JavaScript runtime downloaded dynamically during execution, which launches a multi-cloud credential harvester. It sweeps for AWS IAM keys, Azure CLI authentication caches, GCP service account tokens, Kubernetes secrets, SSH keys, GitHub PATs, HashiCorp Vault tokens, and npm access tokens.

Stolen credentials leave the machine as encrypted JSON files committed to attacker-controlled public GitHub repositories. StepSecurity’s forensic breakdown of the Phantom Gyp technique traced the primary exfiltration account to “liuende501,” which held 236 dead-drop repositories at peak. A second account, “windy629,” added more than 200 repositories. Both carry the description “Miasma, The Spreading Blight.”

Using whatever write access the stolen GitHub tokens carry, the worm commits itself into every additional repository the victim can write to, spreading without further operator input. A dead-man’s switch runs alongside the stealer: a token monitor that, if it detects a GitHub PAT being revoked, triggers a wiper routine deleting the home directory on Linux and macOS. The attacker structured this as a deterrent against credential rotation rather than a final destructive move.

Nine Months of Escalation

The June attack is the fourth documented generation of a worm TeamPCP first released in September 2025 as the first self-replicating malware observed in the npm (node package manager, the largest JavaScript software registry) ecosystem.

Wave	Dates	Primary Target	Key Capability Added
Original Shai-Hulud	September 2025	npm packages	First self-replicating maintainer token theft in npm
Shai-Hulud variants (Sha1-Hulud, SANDWORM_MODE)	Late 2025 to April 2026	npm, CI/CD runners	Adaptive CI/CD pipeline enumeration; cross-runner persistence
Mini Shai-Hulud	May 10-12, 2026	TanStack, Mistral AI, UiPath (170+ packages)	SLSA Level 3 provenance forgery; OIDC token extraction from runner memory
Miasma	June 1-5, 2026	Red Hat npm (32 packages); Microsoft Azure (73 repos)	AI coding agent persistence hooks; direct source-repo injection

Per Tenable’s published FAQ for CVE-2026-45321, each generation directly addressed the takedown techniques applied to its predecessor. Mini Shai-Hulud achieved a concrete first: producing malicious packages with valid SLSA Build Level 3 provenance attestations, the highest cryptographic integrity certification in the SLSA (Supply-chain Levels for Software Artifacts) framework. Endor Labs, in its analysis, noted that the certificate “proves where the package was built. It does not prove the build was authorized.” The worm entered the pipeline before attestation ran, so the signature was genuine and the payload was malicious.

The credential trail behind the June 1 attack on @redhat-cloud-services npm packages was visible well before the attack shipped. Dark web monitoring firm Whiteintel found the affected employee’s GitHub credential and session cookie in infostealer logs on April 13 and again on May 15, 48 days and 17 days before the attack, respectively. That session cookie alone, which would bypass multi-factor authentication entirely, sat in those logs for nearly seven weeks.

An Offense Framework, Open-Sourced

On May 12, the day after the TanStack wave, TeamPCP pushed the worm’s complete source code to a GitHub repository under an MIT license. The commit message: “Shai-Hulud: Open Sourcing The Carnage.” GitHub removed the repository within hours; the code had been forked before the takedown. Simultaneously, the group posted a cash prize on BreachForums for the largest supply chain attack carried out using the released code, alongside guidance encouraging modification of command-and-control infrastructure.

TeamPCP operates under the aliases Replicating Marauder, TGR-CRI-1135, and UNC6780 across different threat-intelligence tracking systems. Tenable’s CVE-2026-45321 FAQ notes that attribution now carries diminished operational value: because the source is public and the contest encouraged customizing infrastructure, a copycat campaign can be deliberately built to mimic TeamPCP’s fingerprints. OX Security detected several copycat packages deploying Shai-Hulud code with modified infrastructure within weeks of the open-sourcing.

170+ npm and PyPI packages compromised in the Mini Shai-Hulud wave
400+ malicious versions published in five hours during the TanStack campaign
$1,000 prize posted on BreachForums for the largest copycat attack using the released code
4 copycat packages from separate actors detected in May 2026, per OX Security

Datadog, in its analysis of the open-sourcing, wrote that it “lowers the barrier for other actors to adopt TeamPCP’s playbook including the more sophisticated techniques like OIDC token abuse, provenance forgery, and AI tool persistence hooks.”

GitHub as Command-and-Control

Every credential Miasma steals arrives as an encrypted JSON file committed to a public GitHub repository with a valid OAuth token. From the platform’s perspective, those writes look like any other authenticated push.

It exploits the trust model those platforms are built on: the assumption that if a package is signed with a valid key and published by an authenticated maintainer, it is safe. Shai-Hulud compromises the key and the maintainer, then proceeds to act exactly as a legitimate publisher would. From the registry’s perspective, every malicious publish event is indistinguishable from a routine update.

That was security firm FalconFeeds.io’s assessment of the Shai-Hulud campaign. The worm uses compromised credentials to do exactly what authenticated publishers do. No registry rule is broken in the process.

Researchers Moshe Siman Tov Bustan and Nir Zadok, analyzing the icflorescu wave, found the dead-drop infrastructure goes beyond passive storage. The attacker can update the worm’s behavior by committing new versions to the GitHub repositories used as dead-drops, pushing configuration changes to all live infections without returning to individual victims. Their conclusion: GitHub functions in this campaign as an adaptive command-and-control server piggybacking on a platform most enterprise security tools whitelist entirely.

GitHub’s automated systems pulled all 73 repositories in 105 seconds. That response speed reflects a posture the platform has applied consistently to repository-level security threats; earlier this year it cleared accounts distributing weaponized Windows zero-day exploit code within hours of identification. GitHub has not published the technical basis for its detection in this incident.

Cleaning Up After Miasma

The blast radius starts with any developer who cloned open-source Node.js or TypeScript repositories between June 1 and June 7. The icflorescu/mantine-datatable repository alone carries 1,225 GitHub stars, a rough proxy for how many developers have the source checked out locally. No cloned project from that window should be opened in an IDE or AI coding agent before checking for persistence files.

The files to look for in the repository root:

.claude/setup.mjs and .claude/settings.json (Claude Code SessionStart hook and settings injection)
.cursor/rules/setup.mdc (Cursor rules file, loaded on project open)
.gemini/settings.json (Gemini CLI settings injection)
.vscode/tasks.json and .github/setup.js (VS Code task hook and general payload launcher)
Any installed version of durabletask 1.4.1 through 1.4.3, or @redhat-cloud-services/* packages installed since June 1

Per JFrog’s remediation guidance for the Shai-Hulud family, persistence files must be removed before credentials are rotated. The token monitor fires on revocation; removing persistence first stops the wiper. After clearing those files, rotate GitHub PATs, npm access tokens, cloud credentials for AWS, GCP, and Azure, SSH keys, Kubernetes service account tokens, and any CI/CD secrets in affected environments.

The credential scope Miasma pursues overlaps with other infostealer families targeting Windows developer environments for SSH keys and browser-stored credentials. A stolen GitHub PAT gives the worm write access to every repository the developer maintains, committing the payload into all of them automatically.

Frequently Asked Questions

What Should I Do If I Cloned One of the 73 Disabled Microsoft Azure Repositories?

Don’t open the project in any IDE or AI coding agent until you’ve checked for persistence files. Look for .claude/setup.mjs, .claude/settings.json, .cursor/rules/setup.mdc, .gemini/settings.json, and .vscode/tasks.json in the repository root. Remove any that don’t belong before opening the project. Per JFrog’s remediation guidance for the Shai-Hulud worm family, clear persistence artifacts first, then rotate credentials in this order: GitHub PATs, npm access tokens, cloud credentials (AWS, GCP, Azure), Kubernetes service account tokens, SSH keys, and any CI/CD secrets the environment holds.

Does SLSA Provenance Attestation Protect Against Miasma?

No. The May 2026 wave targeting TanStack and Red Hat packages achieved a documented first: producing malicious packages that carried valid SLSA Build Level 3 provenance attestations, the highest integrity certification in the Supply-chain Levels for Software Artifacts (SLSA) framework. Endor Labs noted that the attestation proves where a package was built, not that the build was authorized. The worm entered the CI/CD pipeline before attestation ran, so the cryptographic certificate was legitimate while the payload inside was malicious.

Is the Worm Still Active as of June 2026?

Yes. As of June 7, more than 80 public repositories on GitHub carry Miasma’s naming patterns, per OpenSourceMalware’s tracking. TeamPCP posted the worm’s source code on GitHub in May, and OX Security has confirmed at least four copycat packages from separate actors already in circulation. The worm evolves without requiring TeamPCP’s direct involvement; any actor can download the code, modify the command-and-control infrastructure, and run a variant.

Which Files Indicate a Miasma Infection?

JFrog’s remediation list for the Shai-Hulud family covers the key persistence artifacts: .claude/setup.mjs and .claude/settings.json, .vscode/tasks.json, .cursor/rules/setup.mdc, and dropped setup.mjs or router_runtime.js files in the project root. On Linux systems, look for a LaunchAgent or systemd service named gh-token-monitor. Commits from the worm are typically authored as github-actions noreply@github.com with the message “chore: update dependencies [skip ci].”

How Did GitHub Disable 73 Repositories in 105 Seconds?

GitHub has not published a technical explanation for its detection method in this incident. Per OpenSourceMalware’s reporting, every affected repository went offline within the same window on June 5, suggesting automated signature or hash matching against the worm’s known payload rather than manual review. The speed also implies GitHub’s systems had already fingerprinted the Miasma payload from earlier detections, since the Microsoft incident came four days after the June 1 Red Hat npm takedown.

TeamPCP posted the worm’s source code on May 12; every confirmed attack since then, from the group itself or from copycat actors running the public code, uses tooling any developer can now download and modify.