A rapidly evolving software supply chain threat known as Miasma has compromised dozens of Microsoft-hosted GitHub repositories, marking one of the most significant open-source ecosystem attacks seen this year.
Security researchers report that the self-propagating malware campaign affected 73 repositories spread across multiple Microsoft GitHub organizations, including projects associated with Azure, Microsoft, Azure-Samples, and MicrosoftDocs. Following the discovery, GitHub temporarily restricted access to the impacted repositories while investigations and remediation efforts continue.
Microsoft Repositories Taken Offline Following Compromise
Users attempting to access several affected repositories were met with notices indicating that GitHub had disabled access due to violations of platform policies.
According to findings published by security researchers at OpenSourceMalware, the attack reached a wide range of Microsoft development projects, including software development kits, cloud infrastructure tools, workflow automation projects, and developer resources.
Among the affected repositories were components linked to Azure Functions, Durable Task frameworks, machine learning projects, and various open-source development utilities.
The breadth of the compromise highlights the growing risks facing major software vendors that rely heavily on open-source collaboration platforms.
Attack Linked to Previously Compromised Package
Researchers have identified a concerning connection between the latest incident and an earlier supply chain compromise involving the “durabletask” package published through the Python Package Index (PyPI).
That package was previously associated with malicious activity that targeted Linux developers through information-stealing malware.
Security analysts believe the latest wave of compromises may stem from credentials or access tokens that were not fully secured after the earlier breach.
The overlap between previously targeted projects and the newly compromised repositories has raised concerns that attackers may have retained persistent access to development environments over an extended period.
Miasma Evolves From Earlier Worm Campaign
The malware is believed to be a more advanced evolution of the self-replicating Mini Shai-Hulud worm that surfaced publicly earlier this year.
Since its emergence, the threat has continued to evolve, adopting new infection methods, expanding its reach, and refining its ability to spread across software development ecosystems.
Researchers have observed the attackers creating numerous public repositories containing stolen secrets and compromised data. These repositories have appeared under various naming schemes, including:
- Miasma: The Spreading Blight
- Miasma – The Spreading Blight
- Hades – The End for the Damned
The growing number of repositories associated with these campaigns suggests that the malware remains highly active and continues to infect new targets.
Attackers Shift Beyond Traditional Package Repositories
One of the most alarming developments is the campaign’s move away from conventional package registry attacks.
Instead of relying solely on malicious package uploads, threat actors have reportedly begun inserting harmful code directly into source code repositories.
Researchers discovered malicious modifications in several open-source projects where attackers embedded large payload loaders designed to activate automatically when developers interact with the affected codebases.
This tactic significantly increases the likelihood of infection because developers often trust code obtained directly from established repositories.
AI Development Tools Become Infection Vector
Investigators found that some malicious payloads were specifically designed to execute when developers open compromised repositories using popular AI-assisted coding tools and development environments.
The malicious code reportedly integrates with various developer workflows, increasing the chances that infected projects will execute payloads automatically during normal software development activities.
This represents a notable shift in attacker behavior, as cybercriminals increasingly target AI-enhanced development ecosystems that are becoming common across enterprise software teams.
Exploiting Trust Rather Than Technical Vulnerabilities
Security researchers emphasize that the campaign’s effectiveness does not rely on exploiting flaws within GitHub, package managers, or software registries themselves.
Instead, the malware abuses the trust relationships that underpin modern software development.
By obtaining legitimate credentials, compromising trusted maintainers, or hijacking authorized publishing workflows, attackers can distribute malicious updates that appear completely legitimate to automated security systems.
Because the malware operates through approved channels and authenticated accounts, traditional detection mechanisms often struggle to distinguish malicious activity from normal software maintenance.
Supply Chain Risks Continue to Grow
The Miasma campaign highlights the increasing dangers associated with software supply chain attacks, which have become one of the most disruptive cybersecurity threats facing organizations worldwide.
Unlike traditional malware outbreaks, self-replicating supply chain attacks can spread exponentially through interconnected development ecosystems, impacting thousands of downstream users from a single compromise.
As organizations increasingly rely on open-source software, cloud-native development, and automated deployment pipelines, the potential impact of these attacks continues to expand.
Security Experts Urge Immediate Review
Cybersecurity professionals are advising organizations to:
- Audit dependencies originating from affected repositories.
- Review software supply chain security controls.
- Rotate credentials that may have been exposed.
- Verify the integrity of development environments.
- Monitor repositories for unauthorized changes and suspicious commits.
- Strengthen code-signing and access management policies.
Experts warn that software supply chain security must now be treated as a critical business risk rather than a niche development concern.
The Miasma campaign serves as another reminder that trust remains one of the most valuable—and most frequently targeted—assets in the modern software ecosystem.
