Jun 09, 2026 15:00:00

73 Microsoft GitHub repositories have been disabled after being compromised by malware that stole credentials from AI users.

On June 5, 2026, 73 Microsoft GitHub repositories were disabled by GitHub's anti-fraud system. These repositories were found to be compromised by malware that stole authentication credentials when developers opened packages using AI coding tools.

The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds | OpenSource Malware Blog

https://opensourcemalware.com/blog/miasma-reaches-azure

Miasma worm is a new variant of Shai-Hulud | Cloudsmith
https://cloudsmith.com/blog/miasma-worms-path-of-destruction

For the 2nd time in weeks, Microsoft packages laced with credential stealer - Ars Technica
https://arstechnica.com/security/2026/06/for-the-2nd-time-in-weeks-microsoft-packages-laced-with-credential-stealer/

Microsoft's open source tools were hacked to steal passwords of AI developers | TechCrunch
https://techcrunch.com/2026/06/08/microsofts-open-source-tools-were-hacked-to-steal-passwords-of-ai-developers/

Starting at some point on June 5th, 73 Microsoft GitHub repositories related to the cloud service Azure and tools for developers to use AI coding tools were disabled by GitHub's anti-fraud system.

When you access a disabled Microsoft GitHub repository, you will see the message 'This repository has been disabled.'

The reason for disabling this GitHub repository is that malware called 'Miasma' was embedded in the code. Miasma is a self-replicating credential-stealing malware based on the Mini Shai-Hulud codebase, which was open-sourced by a hacking group called TeamPCP.

When a user opens a repository infected with Miasma using AI coding tools such as Claude Code or Gemini CLI, their credentials are stolen instantly. Miasma then attempts to plant backdoors in other packages and repositories accessible by the infected environment, meaning that compromising one development environment could lead to attacks on other projects.

In May 2026, a Python package for the 'Durable Task Framework' related to Microsoft Azure was compromised by Miasma . Security firm Cloudsmith noted, 'The fact that the exact same ecosystem that was down last month is now completely down this month suggests that there is a deeper problem, and it is highly likely that the original credentials used in May were not fully rotated or repaired.'

In June, Red Hat also reported through its official npm channel that several packages had been compromised by Miasma.

It was discovered that dozens of packages had backdoors embedded in them through Red Hat's official npm channel - GIGAZINE

Microsoft spokesperson Ben Hope told TechCrunch, 'We temporarily removed some repositories to investigate the possibility of malicious content. Some of these repositories have been restored after review, while others remain offline as work is ongoing.' He added that they have notified a small number of potentially affected customers and will contact them through support channels if further action is required.