Microsoft's open-source repositories on GitHub were compromised to execute credential-stealing code. This security incident led to the platform disabling 73 repositories on June 5 across four organizations.
The malicious payload triggers when developers open the affected repositories using AI coding agents such as Claude Code, Gemini CLI, Cursor, and VS Code. The 28 kilobyte payload is designed to extract credentials for AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. The malware spreads laterally through cloud infrastructures to infect other developer machines.
Attackers compromised Microsoft publisher credentials to poison the durabletask package, bypassing the repository's build pipeline. GitHub stated the repositories were disabled due to a violation of its terms of service. "We have temporarily removed some repositories as we investigate potential malicious content." Microsoft said.
The malware used in the attack is tracked as Miasma, which is a modification of the Mini Shai-Hulud toolkit. Researchers link the attack to a threat actor tracked as TeamPCP. Miasma generates a uniquely encrypted payload for each individual infection, which makes traditional hash-based indicators of compromise ineffective for broad detection.
The compromised repositories include 49 projects related to Azure, the Durable Task framework, and AI sample applications. These disabled repositories have rendered GitHub actions that use them non-functional. The durabletask framework receives 400,000 downloads per month.
TeamPCP published three malicious versions of the durabletask tool in May. The account targeted in June was previously compromised in May. The company has not disclosed details regarding how the account was compromised a second time.