Miasma worm infected more than 70 Microsoft GitHub open-source repositories within two minutes on June 6. GitHub’s automated defense system shut down 73 infected repositories within 105 seconds after the malicious code was submitted. The affected repositories mainly cover Azure Functions host processes and the open-source versions of the Durable Task task orchestration framework across multiple languages.
Attack chain: confirmed technical mechanism and affected scope
Based on confirmed reporting by StepSecurity researchers and BankInfoSecurity, the technical path of this attack is as follows: the attacker used contributor account credentials that had already been compromised, modified shared configuration files inherited across multiple repositories, and spread the malicious code to dozens of repositories within seconds. The malicious payload targets automation features in modern development workflows, executing when AI assistants (Claude Code, Cursor, Gemini CLI) parse the configuration files.
After the worm successfully starts, it steals cloud credentials, authentication tokens, and developer secrets, and then uses these credentials to find the next repository that can be compromised within the GitHub ecosystem. StepSecurity also noted that this incident may be related to a prior compromise of the DurableTask Python Azure task scheduler, but the exact path used to access the affected repositories is still under investigation.
Confirmed link to the GitHub breach in May
Based on analysis by security researchers, this attack has a direct link to the GitHub internal code theft incident carried out by TeamPCP implemented in May 2026: TeamPCP published a VS Code extension containing malware in the Microsoft application marketplace, and a GitHub employee downloaded it during an 11-minute publishing window, resulting in stolen credentials and keys. The attacker then used the stolen credentials to steal about 3,800 internal repositories from GitHub; afterward, TeamPCP publicly released the Mini Shai-Hulud self-replicating worm framework.
The Miasma worm that compromised 70+ Microsoft open-source repositories is an upgraded variant of Mini Shai-Hulud. This is also the second time in a few weeks that Microsoft’s Durable Task open-source project has been compromised—at the end of May 2026, a malicious Python dependency package was implanted.
FAQ
How can developers determine whether their environment is affected by this Miasma attack?
According to security researchers’ recommendations, the following steps should be taken: check whether you have ever pulled (clone/pull) any Azure Functions or Durable Task related repositories that are affected; audit local development environments for suspicious configuration file changes; rotate any potentially exposed AWS, GCP, Azure cloud credentials, SSH keys, npm/PyPI tokens, and Kubernetes keys; verify the integrity of the local repositories. After GitHub completed an initial investigation and removed the malicious code from Microsoft, it gradually restored the 73 affected repositories.
Why would AI coding assistants (Claude Code, Cursor, Gemini CLI) become the attack medium for Miasma?
Miasma worm’s design specifically targets AI coding workflows. The attacker implants malicious payloads into repository configuration files, and AI assistants typically automatically parse these configuration files when they help developers open or analyze projects. Without sufficient isolation, this parsing process can trigger the execution of malicious code, making the AI assistant an inadvertent malicious code executor.
How does GitHub’s automated defense mechanism shut down 73 repositories within 105 seconds work?
According to StepSecurity researchers’ explanation, GitHub’s automated defense system identified the attack pattern and shut down the affected repositories within 105 seconds after the malicious code submission. As of the time of reporting, GitHub had not publicly disclosed the specific technical details of the automated defense system, the triggering mechanism, or whether downstream organizations had already been affected before the shutdown.
