- Threat actor reused unpivoted GitHub stock secrets to compromise 73 Microsoft repositories
- The Miasma worm is implemented in Azure, Microsoft, Azure-Samples and MicrosoftDocs organizations
- Microsoft has removed the affected repositories, notified affected customers, and is continuing to investigate
GitHub disabled 73 of Microsoft’s repositories after a malicious actor allegedly used stolen credentials a month ago to break in and install an information stealer.
The news was confirmed by security firm Cloudsmith and malware analysis community site OpenSourceMalware, who revealed that in mid-May 2026, someone (most likely TeamPCP) used stolen Microsoft GitHub Actions secrets to release malicious PyPI packages. Although these were quickly removed from the platform, it appears that Microsoft never disclosed the secrets used in this attack.
It now appears that the same threat actor used the same credentials to compromise 73 new repositories, across four GitHub organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The Azure org was hit the hardest, losing 49 repositories, which was essentially everything the Functions team delivered.
Significant benefits
The main difference is that this time it was not the Mini Shai-Hulud worm that was distributed, but rather the Miasma worm, a spin-off that emerged after TeamPCP’s open source Mini Shai-Hulud software.
The researchers say the practical consequences have been quite significant, as some libraries operate in other people’s pipelines. For example, every workflow referencing Azure/functions-action@v1 stopped resolving.
Microsoft spokesperson Ben Hope said TechCrunch the company has “temporarily removed some repositories while we investigate potentially malicious content.”
“Some of these repositories have been restored after review, while others may remain offline while work continues,” Hope added. “As part of our investigation, we have notified a small number of customers who may have pulled content from the affected repositories. We will continue to investigate, and if anything else is identified that requires customer action, we will contact you directly through our established support channels.”
Microsoft couldn’t say how many customers the incident affected, but we can assume it’s tens of thousands or more.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
