The Miasma worm, a variant of the Shai-Hulud worm, recently targeted Microsoft's GitHub repositories, causing significant disruptions across the globe. On June 5, the attack was first identified by Open Source Malware when the worm took down 73 of Microsoft's repositories in under two minutes. These repositories were primarily within the company's Azure organization and their removal disrupted CI/CD workflows worldwide, particularly affecting the Azure/functions-action GitHub Action. This incident resulted in widespread workflow failures as these actions are integral to many organizations' development pipelines.
StepSecurity confirmed the attack, linking it to previous compromises involving Microsoft's PyPI packages. Earlier in May, several versions of Microsoft's durabletask Python SDK had been tampered with and published on PyPI, containing a dangerous cloud intrusion framework. This framework was capable of stealing credentials and deploying destructive malware. The attack infrastructure was traced back to TeamPCP, known for its involvement in previous Shai-Hulud attacks. The compromised Microsoft repositories were tied to TeamPCP's broader supply chain campaign.
Microsoft responded by temporarily removing the affected repositories and notifying a small number of customers who might have downloaded the compromised content. The attack utilized configuration files rather than poisoned package registries, allowing the malware to activate when a developer opened a compromised repository through AI coding tools or integrated development environments. This method bypassed traditional detection systems, making it harder to identify the threat.
Although Microsoft has restored the repositories after investigation, the exposure window allowed the Miasma worm to propagate and gather credentials, which could be used for future attacks. Organizations that accessed these repositories are advised to rotate their credentials and inspect for any signs of compromise to prevent further breaches.