On June 8, 2026, a self-replicating worm named Miasma infiltrated Microsoft’s GitHub repositories, leading to the abrupt disabling of 73 repositories within a span of 105 seconds. This rapid action affected critical repositories across Microsoft’s Azure, Azure-Samples, microsoft, and MicrosoftDocs organizations, disrupting services relied upon by millions of developers.
Miasma, also known as “The Spring Blight,” propagates by compromising supply-chain packages, stealing developer credentials, and embedding itself into new projects. The attack’s entry point was identified as the ‘durabletask’ package on PyPI, central to Microsoft’s Durable Task framework used across various programming languages. Malicious versions 1.5.1, 1.5.2, and 1.5.3 were uploaded to PyPI within a 38-minute window, accumulating approximately 31,000 downloads before detection.
These compromised versions contained preinstall hooks that executed a loader, facilitating the worm’s spread. Once inside a developer’s environment, Miasma harvested GitHub Actions secrets and transmitted them to an external service named TempGPT. Notably, the worm targeted Azure OpenID Connect (OIDC) authentication hashes and managed-identity tokens, granting attackers persistent access to cloud infrastructure.
The attack’s impact was immediate and widespread. For instance, the disabling of the ‘Azure/functions-action’ repository caused continuous integration and deployment pipelines referencing ‘Azure/functions-action@v1’ to fail instantly. Microsoft’s initial response labeled the incident as an “internal management issue,” but this was revised shortly after as the full scope of the intrusion became evident.
Analysts at OpenSource Malware connected this incident to a broader campaign involving the Shai-Hulud toolkit, previously known for targeting AWS and GitHub environments. In this instance, the attackers expanded their focus to Azure credentials, demonstrating a significant escalation in their tactics.
This incident underscores the critical importance of securing supply chains and the potential vulnerabilities within widely-used development platforms. Developers and organizations must remain vigilant, ensuring that dependencies are sourced from trusted origins and regularly audited for integrity. The rapid propagation of Miasma highlights the need for robust monitoring and swift response mechanisms to mitigate such sophisticated threats.
Source: CyberSecurityNews
