Microsoft GitHub repositories were caught up in the latest stage of the Miasma supply-chain campaign after GitHub disabled 73 repos across four Microsoft organizations on June 5, according to security researchers. The action followed a malicious commit pushed to the Azure/durabletask repository using a previously compromised contributor account.
The attack is an escalation of a broader campaign that first surfaced in Red Hat’s npm ecosystem. Researchers said the earlier compromise affected at least 32 packages under the @redhat-cloud-services namespace and involved a credential-stealing worm spread through malicious package releases.
In the Microsoft incident, the planted files were designed to trigger a credential-harvesting payload when developers opened the repository in AI coding tools such as Claude Code, Gemini CLI, Cursor, or VS Code. GitHub disabled the repositories in a narrow 105-second window, with the affected projects spanning Azure, Azure-Samples, Microsoft, and MicrosoftDocs.
Security researchers said the campaign reflects a shift in supply-chain attacks toward developer tooling and automated workflows. The earlier Red Hat compromise was linked to a compromised employee GitHub account and unauthorized commits, while the Microsoft phase reused a similar trust-break strategy inside source repositories rather than package registries.
The remediation advice centers on limiting exposure to mutable references and assuming credential compromise. Researchers recommended pinning GitHub Actions to full commit SHAs, rotating Azure and GitHub tokens, and using safer deployment methods until affected repositories are restored.
Read Full Article: Google to Pay SpaceX $920 Million Monthly for AI Compute Capacity Ahead of SpaceX IPO
