Miasma Worm
The ongoing Miasma self-replicating supply chain attack campaign has expanded beyond package registries and is now directly impacting GitHub repositories. According to findings from OpenSourceMalware, the incident affected 73 repositories across four Microsoft GitHub organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. As a result, GitHub restricted access to the compromised repositories for violating its Terms of Service.
Users attempting to access affected projects, including the Azure Functions Host repository, are greeted with a notice indicating that GitHub staff have disabled access and that repository owners must contact GitHub Support for further information.
Among the repositories impacted by the campaign are:
azure-search-openai-demo-purviewdatasecurity,
Connectors-NET-LSP,
Connectors-NET-SDK,
durabletask,
durabletask-dotnet,
durabletask-go,
durabletask-js,
durabletask-mssql
functions-container-action,
homebrew-functions,
llm-fine-tuning,
Windows-driver-docs
Table of Contents
Durable Task Ecosystem Suffers a Second Compromise
One of the most significant aspects of the latest activity is the apparent re-compromise of the 'durabletask' ecosystem. The durabletask PyPI package was previously infected by TeamPCP in May 2026 and used to distribute an information-stealing malware targeting Linux systems.
A month later, the impact appears far broader. Not only has the primary Azure/durabletask repository disappeared, but related repositories across Microsoft's ecosystem have also been affected. The compromised projects include implementations for .NET, Go, Java, JavaScript, MSSQL, Netherite, protobuf, and the Durable Functions monitoring components.
Security researchers believe the connection between the original compromise and the current takedown is unlikely to be accidental. The recurrence suggests that credentials compromised during the earlier incident may never have been fully secured, allowing attackers to regain or maintain access.
Miasma Evolves from the Mini Shai-Hulud Worm
Researchers assess Miasma as a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. Since then, the malware has continuously evolved, refining its propagation techniques while infecting additional packages and repositories.
The campaign has used several repository descriptions when creating public repositories that expose stolen secrets, including 'Miasma: The Spreading Blight,' 'Miasma : The Spreading Blight,' 'Miasma - The Spreading Blight,' and 'Hades - The End for the Damned.' Current observations indicate 13 repositories carrying the 'Hades' description and 82 repositories using one of the Miasma-related naming variations.
Direct Repository Infections Signal a New Attack Strategy
In a notable shift in tactics, Miasma has been observed bypassing the npm registry altogether. Instead of poisoning packages through traditional distribution channels, threat actors directly modified the GitHub repository 'icflorescu/mantine-datatable' along with four associated projects: mantine-contextmenu, next-server-actions-parallel, mantine-datatable-v6, and mantine-contextmenu-v6.
The malicious commit introduced no additional dependencies, making detection more difficult. Instead, attackers embedded a 4.3 MB payload runner configured to execute automatically through five widely used developer tools: Claude Code, Gemini CLI, Cursor, Visual Studio Code, and the npm test script. The infection activates when developers clone an affected repository and open it within an AI-assisted coding environment. Researchers identified the payload as the same staged Bun loader previously used in registry-focused attacks, but adapted for long-term persistence within source repositories.
Exploiting Trust Rather Than Vulnerabilities
The Miasma campaign highlights fundamental weaknesses in the trust model underpinning modern open-source software distribution. Unlike many supply chain attacks that rely on exploiting software flaws, this operation succeeds by abusing legitimate development and publishing mechanisms.
Its ability to spread recursively through downstream users and repeatedly compromise new targets has made it one of the most significant and persistent software supply chain threats observed to date. The campaign's effectiveness stems from its capacity to propagate exponentially throughout the ecosystem, turning infected users into new vectors of compromise.
The underlying Shai-Hulud methodology does not target vulnerabilities in platforms such as npm or GitHub. Instead, it undermines the core assumption that software published by authenticated maintainers and signed with valid credentials can be trusted. By compromising both maintainer accounts and their associated signing keys, attackers can perform malicious publishing activities that appear completely legitimate.
From the perspective of package registries and repository platforms, these malicious releases are virtually indistinguishable from routine software updates. This ability to operate entirely within trusted workflows explains why many conventional security controls have struggled to detect and stop the campaign.
