Microsoft scrambled to contain a sophisticated supply-chain attack on June 5, 2026, after the Miasma worm infiltrated 73 repositories across its official GitHub organizations. GitHub took the extraordinary step of disabling the affected repos, which spanned Microsoft, Azure, Azure-Samples, and MicrosoftDocs, to prevent the spread of credential-stealing payloads. Early analysis suggests the attack specifically targeted secrets used by AI coding agents and automated development pipelines, putting both internal Microsoft projects and third-party integrations at risk.

The Miasma worm represents a new breed of supply-chain threat designed to exploit the trust relationships inherent in modern DevOps workflows. It propagates through GitHub Actions, pull request hooks, and package dependencies, embedding itself in legitimate-looking code commits. Once inside a repository, Miasma silently harvests environment variables, encrypted secrets, and API tokens, then exfiltrates them to attacker-controlled infrastructure. The worm’s name derives from its method of spreading through “bad air” — poisoned CI/CD pipelines that contaminate every project they touch.

How the Attack Unfolded

Security researchers at Wiz first flagged suspicious activity in the Azure-Samples/python-integrated-authentication repository on the morning of June 5. The repo had recently accepted a minor dependency bump that included a tampered script disguised as a linter configuration. When developers merged the pull request, the script executed in the GitHub Actions runner and immediately scanned for secrets. Within hours, the worm had hopped to 72 other repositories, leveraging existing GitHub integrations to propagate without further human interaction.

GitHub’s automated secret scanning tools initially missed the payload because the worm used encrypted channels and obfuscated code. By the time Microsoft’s security team realized the scale of the breach, Miasma had already exfiltrated at least 2,400 secrets, including Azure SDK keys, AI model API tokens, and code signing certificates. The worm’s self-propagation logic prioritized repositories with active CI/CD pipelines and those containing references to AI coding assistants like GitHub Copilot and internal Microsoft agent frameworks.

The Affected Repositories

The 73 disabled repositories cut across several critical domains:

  • Microsoft org: Core project repos for Windows Terminal, PowerToys, and the Microsoft 365 Developer Program, all of which experiment with AI-assisted code generation.
  • Azure org: Infrastructure-as-code templates, Azure Functions samples, and reference architectures that are frequently cloned by enterprise customers.
  • Azure-Samples org: Customer-facing tutorials and SDK examples, many including pre-configured authentication workflows.
  • MicrosoftDocs org: Technical documentation sites that automatically publish via GitHub Pages, potentially exposing build-time secrets.

GitHub’s decision to disable all repositories was a blunt but necessary measure. While some repos only contained static content, the risk of further lateral movement through shared GitHub Apps and OAuth tokens made isolated containment impossible. The takedown disrupted thousands of active deployments and documentation builds, but GitHub prioritized credential safety over availability.

AI Coding Credentials in the Crosshairs

What sets Miasma apart from previous supply-chain worms is its focus on AI development pipelines. Traditional secret-stealing malware looks for database passwords and AWS keys, but Miasma specifically hunted for tokens associated with AI model training, inference endpoints, and code-generation services. This includes GitHub Copilot secrets, Azure OpenAI Service keys, and private model registry credentials.

“We’re seeing attackers pivot to AI assets because the blast radius is enormous,” says Elara Finn, principal threat analyst at Dragos. “If you compromise an AI coding agent’s token, you can inject malicious code suggestions into the editor of every developer who uses that agent. It’s the ultimate supply-chain backdoor.”

Microsoft’s internal AI coding tools, such as Copilot Extensions and the internal Codex-powered agents used by Xbox and Windows teams, rely on repository-level secrets to function. Miasma’s payloads were designed to intercept these tokens at the runner level, potentially allowing attackers to impersonate AI assistants and poison future code generation. Worse, because many AI services share the same token for training and inference, a stolen credential could grant access to sensitive model weights or training data.

Microsoft’s Response

Microsoft immediately revoked all exposed secrets and forced a rotation of over 15,000 internal and external tokens. The company also issued an emergency advisory to all customers who had cloned or forked affected repositories, warning them to scan for the Miasma payload in their own environments. Azure DevOps and GitHub Enterprise Server instances received a hotfix to detect the worm’s specific signature in pipeline logs.

“We are working closely with GitHub and the open-source community to understand the full scope of this attack,” said a Microsoft spokesperson. “No customer data was exposed directly, but we urge all developers to audit their CI/CD pipelines, particularly those running in GitHub Actions, for unexpected credential usage.”

The incident prompted GitHub to roll out a new opt-in code scanning rule set specifically for supply-chain attacks. The rule set, dubbed “Miasma Detection,” analyzes dependency graphs and action workflows for known patterns used by the worm. Additionally, GitHub now requires maintainers of high-impact repositories—those with over 1,000 stars or used by more than 500 organizations—to enable two-factor authentication on pull request actions and to restrict workflow permissions to least privilege by default.

Wider Industry Implications

The Miasma worm has shaken the developer community’s confidence in automated security measures. The attack vector—a malicious linter configuration—highlights how even innocuous pull request changes can carry devastating payloads. As AI coding agents become more integrated into IDEs and CI/CD systems, they create a new class of privileged credentials that are often overlooked in security audits.

Several organizations are already revising their policies. The Linux Foundation announced an emergency working group to define security standards for AI-augmented development pipelines. Google’s Open Source Security Team pledged to integrate Miasma-specific signatures into its OSV-Scanner tool within 48 hours. And venture capital firm Andreessen Horowitz urged its portfolio companies to treat AI coding credentials with the same rigor as production infrastructure secrets.

The Road Ahead

For developers, the immediate priority is to check whether they have used any of the disabled Microsoft repositories as dependencies or starting templates. GitHub has provided a list of affected repos and a CLI tool to scan forks for the Miasma payload. The company also recommends that all CI/CD workflows be audited for the following red flags:

  • Unsolicited pull requests that modify .github/workflows or install development dependencies.
  • Unexplained runs of scripts named lint-fix or format-code during the checkout phase.
  • Outbound network connections to domains containing “mi-as-ma” or similar hex-encoded patterns.

Longer term, the industry must rethink how it secures the software supply chain in an AI-first world. Miasma exploited a fundamental asymmetry: while developers increasingly rely on AI to generate and review code, the security tools that protect those AIs have not kept pace. Expect major shifts in how GitHub manages third-party actions, how secrets are scoped in AI services, and how organizations vet contributor permissions.

The Miasma worm is unlikely to be the last of its kind. Security researchers have already spotted variants targeting GitLab repositories and Bitbucket pipelines, using similar linter-based infection vectors. The window for proactive defense is closing. For Microsoft, the damage has been contained—this time. But the 73 disabled repositories stand as a warning: the next supply-chain worm might not stop at stealing credentials. It could start rewriting code.