Among the victims are components of Azure, demo projects for AI and libraries, which are used by thousands of developers.
GitHub has disabled access to 73 Microsoft repositories after a new wave of self-propelled Miasma attack. Projects at once in four Microsoft organizations on GitHub: Azure, Azure-Samples, Microsoft and MicrosoftDocs were hit. Among the affected repositories were the components of Azure, code examples, documentation and projects from the Durable Task ecosystem.
When you try to open one of the disabled repositories, Azure/azure-functions-host, GitHub shows a standard access block notification due to breaching the conditions of the service. The owner of the repository is asked to contact GitHub for more information. For third-party developers, this means a simple thing: the code is temporarily unavailable, and you can’t trust the latest changes without a separate check.
According to OpenSourceMalware, among the projects affected are azure-search-open-e-peviewdatakesecurity, Connectors-NET-LSP, Connectors-NET-SDK, durabletask, tabak-dotttle,task-dottle, task-ssword, task-ssql, functions-container-container-, homebrew-functions, llm- The full list is wider, but even according to these names, it can be seen as a matter of urgency. Miasma did not reach random test workpieces, but to repositories related to cloud functions, connectors, documentation, demonstration projects for AI and the Durable Task components for different language ecosystems.
Particularly noticeable is the reappearance of durabletask. In May, the PyPI package of the same name was already infected through a compromised publication token. Then the malicious versions of the tackask 1.4.1, 1.2.4 and 1.4.3 loaded an additional module and tried to steal the accounts from AWS, Azure, Google Cloud, Kubernetes, password managers and developmental configurations. The GitHub repository in that episode, according to SafeDep, was not hacked: the attacker collected the modified packages locally and downloaded them directly to PyPI through twine.
The new blockage is alarming precisely because of the return to the same node. Now not only Azure/durabletask has disappeared from access, but also neighboring projects from the Durable Task ecosystem: implementation for . NET, Go, Java, JavaScript, MSSQL, Netherite and protobuf, as well as Durable Functions monitor. Researcher Paul McCarthy, known as 6mile, links a new wave to May infection and admits that the data used then could have been left to the attackers.
Miasma is considered a variant of the Mini Shai-Hulud, a self-propelled worm for attacks on the supply chain of software. TeamPP published Mini Shai-Hulud in mid-May 2026, after which the techniques quickly diverged beyond the original release. Miasma changes parts, refines the methods of fixation and is distributed through new packages, repositories and accounts. In recent days, the campaign has continued to infect projects and create public repositories, where the stolen secrets were formed.
For such repositories, the attackers used several descriptions: Miasma: The Spreading Blight, Miasma - The Spreading Blight - The Spreading Blight and The End for the Damned. At the time of publication of the initial data of GitHub contained 13 repositories describing Hades - The End for the Damned and 82 repositories with the other three templates.
Miasma is not limited to the classic scheme with infection of the ndpm registry. The researchers noticed that attackers sometimes completely bypass npm and bring malicious code directly into the original repositories. One such episode affected icflorescu/mantine-datatable and four related projects: mantine-contextmunu, next-server-actions-parallel, mantine-datatable-v6 and mantine-contextenum-v6.
In this case, the malicious company did not add new dependencies. The project placed a executing module measuring 4.3 MB and tied the launch to several familiar tools of the developer: Claude Code, Gemini CLI, Cursor, VS Code and the npm test script. The attack does not work at the time of publication of the package in npm, but later, when the developer clones one of the affected repositories and opens the code in the AI agent for programming. SafeDep describes this mechanism as the same multi-stage Bun bootloader, only transferred from the registry infection scheme to the diagram with fixing inside the original repository.
This move is dangerous for teams that are already accustomed to check package.json, lock files and new addictions. If the company does not add the package and does not look like a normal renewal of dependencies, some of the protective checks may not work. The code still receives a launch point through the tools the developer trusts every day. The AI agent, code editor, or test script are turned into a mechanism to perform the downloader.
The campaign is not reduced to one infected package or one stolen token. Miasma puts pressure on the weak point of open development: trust in the owner of the project, the publication key, the account of the accompanying and the usual delivery channel. The NPm or GitHub registry sees action from an authorized user, a signed package or a change in a legitimate repository. For the platform, such activity is often similar to a regular update, although there is already malicious code inside.
That is why attacks on the supply chain of software are difficult to stop with conventional filters. Miasma is not necessarily looking for a vulnerability in GitHub or NPm. The worm gets access to the key, token, work process or account, after which it acts almost as a real accompanying project. The package is published through the usual mechanism, the repositories changes through the usual business, and dependent projects receive an infected code through the same channels that were trusted before the incident.
The previous wave has already shown how quickly the scheme is spreading across large ecosystems. In early June, Microsoft Threat Intelligence described the attack on @redhat-cloud-services packages in npm: the attackers compromised the CI/CD chain RedhatInsights/Javascript-clients and were able to publish the trojanized versions through the legitimate workflow of GitHub Actions with OpenID Connect. According to Microsoft, 32 packages and more than 90 versions were hit. Miasma continues the same line: the infection goes through trusted mechanisms, and not through a gross hack of the end user.
The main danger for developers is not only in Microsoft repositories that have already been disconnected. After blocking, you need to check local copies, forks, caches, CI/CD-flects, published packages and secrets that could get into the assembly environment. If the team cloned the affected repository, ran tests, opened the project in the AI agent or collected the package after suspicious changes, the only fact of the blocking on GitHub does not close the risk.
Miasma shows how fast a self-distributed worm can cross between packet registrants, source repositories, work processes, and programming tools. GitHub has already disabled access to 73 Microsoft repositories, but the campaign itself does not live on one list of addresses. You need to check the whole chain: publication tokens, access keys, GitHub Actions, local developer environments, AI tools, test scripts and packages that managed to go through infected projects.
GitHub has disabled access to 73 Microsoft repositories after a new wave of self-propelled Miasma attack. Projects at once in four Microsoft organizations on GitHub: Azure, Azure-Samples, Microsoft and MicrosoftDocs were hit. Among the affected repositories were the components of Azure, code examples, documentation and projects from the Durable Task ecosystem.
When you try to open one of the disabled repositories, Azure/azure-functions-host, GitHub shows a standard access block notification due to breaching the conditions of the service. The owner of the repository is asked to contact GitHub for more information. For third-party developers, this means a simple thing: the code is temporarily unavailable, and you can’t trust the latest changes without a separate check.
According to OpenSourceMalware, among the projects affected are azure-search-open-e-peviewdatakesecurity, Connectors-NET-LSP, Connectors-NET-SDK, durabletask, tabak-dotttle,task-dottle, task-ssword, task-ssql, functions-container-container-, homebrew-functions, llm- The full list is wider, but even according to these names, it can be seen as a matter of urgency. Miasma did not reach random test workpieces, but to repositories related to cloud functions, connectors, documentation, demonstration projects for AI and the Durable Task components for different language ecosystems.
Particularly noticeable is the reappearance of durabletask. In May, the PyPI package of the same name was already infected through a compromised publication token. Then the malicious versions of the tackask 1.4.1, 1.2.4 and 1.4.3 loaded an additional module and tried to steal the accounts from AWS, Azure, Google Cloud, Kubernetes, password managers and developmental configurations. The GitHub repository in that episode, according to SafeDep, was not hacked: the attacker collected the modified packages locally and downloaded them directly to PyPI through twine.
The new blockage is alarming precisely because of the return to the same node. Now not only Azure/durabletask has disappeared from access, but also neighboring projects from the Durable Task ecosystem: implementation for . NET, Go, Java, JavaScript, MSSQL, Netherite and protobuf, as well as Durable Functions monitor. Researcher Paul McCarthy, known as 6mile, links a new wave to May infection and admits that the data used then could have been left to the attackers.
Miasma is considered a variant of the Mini Shai-Hulud, a self-propelled worm for attacks on the supply chain of software. TeamPP published Mini Shai-Hulud in mid-May 2026, after which the techniques quickly diverged beyond the original release. Miasma changes parts, refines the methods of fixation and is distributed through new packages, repositories and accounts. In recent days, the campaign has continued to infect projects and create public repositories, where the stolen secrets were formed.
For such repositories, the attackers used several descriptions: Miasma: The Spreading Blight, Miasma - The Spreading Blight - The Spreading Blight and The End for the Damned. At the time of publication of the initial data of GitHub contained 13 repositories describing Hades - The End for the Damned and 82 repositories with the other three templates.
Miasma is not limited to the classic scheme with infection of the ndpm registry. The researchers noticed that attackers sometimes completely bypass npm and bring malicious code directly into the original repositories. One such episode affected icflorescu/mantine-datatable and four related projects: mantine-contextmunu, next-server-actions-parallel, mantine-datatable-v6 and mantine-contextenum-v6.
In this case, the malicious company did not add new dependencies. The project placed a executing module measuring 4.3 MB and tied the launch to several familiar tools of the developer: Claude Code, Gemini CLI, Cursor, VS Code and the npm test script. The attack does not work at the time of publication of the package in npm, but later, when the developer clones one of the affected repositories and opens the code in the AI agent for programming. SafeDep describes this mechanism as the same multi-stage Bun bootloader, only transferred from the registry infection scheme to the diagram with fixing inside the original repository.
This move is dangerous for teams that are already accustomed to check package.json, lock files and new addictions. If the company does not add the package and does not look like a normal renewal of dependencies, some of the protective checks may not work. The code still receives a launch point through the tools the developer trusts every day. The AI agent, code editor, or test script are turned into a mechanism to perform the downloader.
The campaign is not reduced to one infected package or one stolen token. Miasma puts pressure on the weak point of open development: trust in the owner of the project, the publication key, the account of the accompanying and the usual delivery channel. The NPm or GitHub registry sees action from an authorized user, a signed package or a change in a legitimate repository. For the platform, such activity is often similar to a regular update, although there is already malicious code inside.
That is why attacks on the supply chain of software are difficult to stop with conventional filters. Miasma is not necessarily looking for a vulnerability in GitHub or NPm. The worm gets access to the key, token, work process or account, after which it acts almost as a real accompanying project. The package is published through the usual mechanism, the repositories changes through the usual business, and dependent projects receive an infected code through the same channels that were trusted before the incident.
The previous wave has already shown how quickly the scheme is spreading across large ecosystems. In early June, Microsoft Threat Intelligence described the attack on @redhat-cloud-services packages in npm: the attackers compromised the CI/CD chain RedhatInsights/Javascript-clients and were able to publish the trojanized versions through the legitimate workflow of GitHub Actions with OpenID Connect. According to Microsoft, 32 packages and more than 90 versions were hit. Miasma continues the same line: the infection goes through trusted mechanisms, and not through a gross hack of the end user.
The main danger for developers is not only in Microsoft repositories that have already been disconnected. After blocking, you need to check local copies, forks, caches, CI/CD-flects, published packages and secrets that could get into the assembly environment. If the team cloned the affected repository, ran tests, opened the project in the AI agent or collected the package after suspicious changes, the only fact of the blocking on GitHub does not close the risk.
Miasma shows how fast a self-distributed worm can cross between packet registrants, source repositories, work processes, and programming tools. GitHub has already disabled access to 73 Microsoft repositories, but the campaign itself does not live on one list of addresses. You need to check the whole chain: publication tokens, access keys, GitHub Actions, local developer environments, AI tools, test scripts and packages that managed to go through infected projects.
