GitHub Nukes 70+ Microsoft Repos After Miasma Worm Breach Breaks CI/CD Pipelines
Table of Contents
A Rapid Shutdown to Stem the Bleeding
In a sudden move to neutralize a spreading security threat, GitHub disabled 73 Microsoft-owned repositories in a frantic 105-second window last Friday. The mass takedown, which triggered a cascade of failures across global development pipelines, was a direct response to the detection of the Miasma worm—a sophisticated piece of malware targeting the open-source supply chain.
Developers first noticed the anomaly when visits to various official Microsoft repositories resulted in a generic “terms of service violation” message. While the shutdown was an automated security measure, the fallout was immediate. Because many of these repositories are critical dependencies for cloud deployments, the “nuclear option” effectively broke CI/CD (Continuous Integration/Continuous Deployment) pipelines for thousands of users.
According to Ashish Kurmi, co-founder and CTO of StepSecurity, the most disruptive casualty was the Azure/functions-action repository. As a core component used to deploy code to Azure, its sudden disappearance meant that any workflow referencing Azure/functions-action@v1 simply stopped resolving, halting production deployments for a significant number of enterprise users.
The Anatomy of the Infection
The breach appears to have begun with a compromised contributor account. The attacker pushed a malicious commit to the Azure/durabletask repository, introducing configuration files designed to trigger remote code execution (RCE). The danger was particularly acute for developers using modern AI-integrated environments; the malware was engineered to execute the moment a developer opened the repository using tools like Cursor, Gemini CLI, or Claude Code.
Once active, the Miasma worm focuses on a singular, high-value objective: cloud secret-scouting. The malware scans Linux systems for developer tool configurations and cloud credentials, attempting to exfiltrate tokens that would grant the attacker deeper access to corporate cloud infrastructure.
A Recurring Nightmare
The targeting of durabletask is not a coincidence, but a sign of a persistent security gap. On May 19, the same Miasma worm targeted Microsoft’s durabletask PyPi package, uploading three malicious versions within 35 minutes. These versions planted infostealers on developer machines to harvest the same cloud secrets currently being sought.
The fact that the worm returned to the same target suggests a failure in the remediation process. Kurmi notes that the tokens associated with the original compromised account may not have been fully rotated, or the attacker successfully navigated a propagation loop to re-infect the contributor. Either way, the persistence of the threat highlights a critical vulnerability in how tokens and contributor permissions are managed in massive open-source ecosystems.
The Lineage of the Worm
Security researchers at Snyk have traced the origins of Miasma back to the “Mini Shai Hulud” worm. This lineage connects the current Microsoft breach to a wider campaign that recently ravaged the npm registry, including packages associated with Red Hat. The original Mini Shai Hulud was claimed by a cybercrime group known as TeamPCP.
However, because TeamPCP open-sourced the Mini Shai Hulud code, the identity of the actor behind Miasma remains blurred. It is unclear if the original group is still leading the charge or if independent actors are utilizing the open-source framework to launch their own attacks. The scale of the campaign is evident: just two days before the Microsoft incident, the worm compromised over 50 npm packages, including a Vapi.ai SDK that boasts over 408,000 monthly downloads.
Microsoft has not yet provided a detailed official statement regarding the specific number of compromised accounts or the full extent of the data exfiltration. For now, the incident serves as a stark reminder that even the most robust security perimeters are only as strong as the least-rotated token in a contributor’s keychain.
