Ethical Hacking News
In a recent breach, 73 Microsoft GitHub repositories were compromised by the Miasma worm, highlighting vulnerabilities in supply chain security frameworks. The attack used AI coding tools and resulted in the theft of cloud credentials, emphasizing the need for proactive measures to protect against such threats.
The Miasma worm compromised 73 Microsoft GitHub repositories, highlighting vulnerabilities in supply chain security frameworks. The attack used AI coding tools and resulted in the theft of cloud credentials from developers and CI/CD systems. The worm is an evolved variant of the Mini Shai-Hulud worm, open-sourced by TeamPCP. The attackers compromised a Red Hat employee's GitHub account to publish malicious package versions to the npm registry. Compromised repositories included core Azure infrastructure and Microsoft's second known breach in weeks involving the same malware family. Organizations using Azure or Red Hat environments should treat this campaign as an active security incident and rotate exposed credentials immediately.
The recent compromise of 73 Microsoft GitHub repositories by the Miasma worm has highlighted the vulnerabilities that exist within supply chain security frameworks, specifically those designed to verify the authenticity and provenance of software components. The attack, which was carried out using AI coding tools and resulted in the theft of cloud credentials from developers and CI/CD systems, underscores the need for organizations to take proactive measures to protect themselves against such threats.
According to a report published by Cloudsmith, the Miasma worm is an evolved variant of the Mini Shai-Hulud worm, which was open-sourced by the cybercrime group TeamPCP. The group's naming has shifted from Dune references to Greek mythology, with repo descriptions that read like "Miasma: The Spreading Blight" and "Hades: The End for the Damned." This branding is likely an attempt to intimidate developers into not reporting the breach.
The attack began at Red Hat, where attackers compromised a Red Hat employee's GitHub account and pushed unreviewed orphan commits to internal repositories. They then injected a minimal workflow that requested GitHub's OIDC tokens, which were used to publish 32 malicious package versions to the npm registry. The payload itself adapted to evade detection in two ways: it generated a uniquely encrypted payload for each individual infection, making hash-based indicators of compromise useless; and it went beyond the credential scraping of earlier Mini Shai-Hulud variants by attempting to harvest cloud identities from every CI/CD runner that had touched the infected code.
The compromised repositories included core Azure infrastructure like azure-functions-host and the entire Durable Task family across .NET, Go, Java, JavaScript, MSSQL, and Python. This is Microsoft's second known breach in weeks involving the same family of malware, which raises an uncomfortable question: did they fully clean up the first one, or did the attackers simply wait?
Cloudsmith advises organizations using Azure or Red Hat environments to treat this campaign as a potential active security incident. They recommend that any GitHub tokens, SSH keys, CI/CD signing keys, and cloud credentials that may have been exposed should be rotated immediately. Security teams should also check build systems for suspicious repositories and unexpected processes running through tools such as VS Code or AI coding assistants.
The case highlights that even software packages distributed through trusted public registries can be malicious, despite appearing legitimate and carrying valid provenance information. This is a stark reminder of the importance of monitoring and analyzing software updates closely to prevent such attacks from going undetected.
Related Information:
https://www.ethicalhackingnews.com/articles/Miasma-Worm-Compromise-Highlights-Vulnerabilities-in-Supply-Chain-Security-ehn.shtml
https://securityaffairs.com/193367/malware/miasma-worm-compromises-73-microsoft-github-repositories.html
Published: Wed Jun 10 18:21:30 2026 by llama3.2 3B Q4_K_M
