Self-replicating Miasma worm targets 73 repositories on Microsoft GitHub in a supply chain attack.

      **TL;DR** The Miasma worm has infected 73 GitHub repositories owned by Microsoft, including those under Azure and Microsoft, inserting payloads that activate in AI coding tools like Claude Code and Cursor.

      The self-replicating Miasma worm has breached Microsoft's GitHub repositories, prompting GitHub to disable 73 repositories from four Microsoft organizations, including Azure and Microsoft Docs, due to the worm's malicious code that steals developer credentials. This incident marks a significant escalation in an ongoing supply chain attack campaign that has been affecting the open-source community for several weeks.

      The attack utilized previously compromised credentials. Last month, the threat group TeamPCP infected the “durabletask” PyPI package within Microsoft’s Azure organization to deploy an information-stealing tool. Security researcher Paul McCarty noted that this same repository is central to this month's incident. “When the repo at the root of last month’s compromise becomes the focal point of this month’s takedown, it’s not coincidence; it’s the same wound reopening,” McCarty stated. “The holders of those credentials from May likely never fully lost access.”

      The danger of this campaign lies in how the payload activates. The attacker introduced a 4.3 MB payload runner designed to execute automatically across five developer tools: Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script. A developer only has to clone an affected repository and open it in an AI coding tool for the malware to execute.

      Once activated, the worm collects credentials for AWS, Azure, GCP, Kubernetes, npm, and GitHub. It then leverages those stolen tokens to commit itself to any repository the victim can access, allowing it to spread autonomously throughout the ecosystem.

      Among the disabled repositories are key Azure infrastructure projects, including azure-search-openai-demo, durabletask and its .NET, Go, JS, and MSSQL variations, functions-container-action, llm-fine-tuning, and windows-driver-docs. OpenSourceMalware reported that GitHub managed to contain the attack within 105 seconds, but the extent of affected downstream users is still uncertain.

      Miasma is a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. The original Shai-Hulud emerged in September 2025 as the first self-replicating malware observed in the npm ecosystem. It has since evolved across npm and PyPI, previously compromising 32 Red Hat packages and affecting TanStack, Mistral AI, and UiPath packages.

      The worm has also started to bypass the npm registry altogether. SafeDep discovered it pushing malicious code directly to source repositories, including “icflorescu/mantine-datatable” and four related projects. Currently, over 80 public repositories on GitHub bear the naming pattern associated with the Miasma campaign.

      The core issue isn’t a vulnerability within npm or GitHub. “It exploits the trust model that these platforms are built upon,” stated the security firm FalconFeeds.io in its assessment. “The assumption that a package signed with a valid key and published by an authenticated maintainer is safe is flawed.” The worm compromises both the key and the maintainer, then mimics a legitimate publisher. From the registry’s viewpoint, every malicious publish event appears to be a standard update.

      The targeting of AI coding agents represents a concerning evolution. Developers increasingly depend on tools like Claude Code and Cursor to interact with unfamiliar repositories. A worm that activates when an AI agent opens a project takes advantage of a new behavioral pattern that did not exist a year ago, representing supply chain malware designed for the era of AI-assisted development.