Microsoft Restores 73 GitHub Repositories After Security Incident Linked to Miasma Attack

Recently, a malicious VS Code extension exposed 3,800 GitHub repositories, highlighting the growing risks facing developers and open-source ecosystems.

Now, a new GitHub-related security incident has emerged, with Microsoft restoring 73 repositories after temporarily removing them over concerns that they may have contained potentially malicious content. The disruption affected developers and CI/CD pipelines while raising fresh concerns about software supply chain security.

The repositories were removed on June 5 across several Microsoft-owned GitHub organizations, including Azure, Microsoft, Azure-Samples, and MicrosoftDocs. According to reports, the incident was detected and contained within just 105 seconds.

Initially, the repositories were taken offline because of concerns that they could be distributing malicious content. Security researchers later linked the removals to the ongoing Miasma, also known as Shai-Hulud, supply chain attack campaign.

Azure Functions Deployments Were Impacted

The biggest disruption came from the temporary removal of the Azure/functions-action repository. This GitHub Action is widely used by developers to deploy Azure Functions directly from GitHub workflows.

As soon as the repository became unavailable, workflows that depended on the action started failing because GitHub could no longer resolve the required deployment component.

Developers quickly reported broken pipelines and deployment issues, creating confusion across the Azure development community.

Microsoft later restored all affected repositories and confirmed that they are now considered clean and safe to use.

Questions Raised About Previous Repository Compromise

Security researchers from OpenSourceMalware pointed to Microsoft’s durabletask repository, which had reportedly been compromised in May. The researchers suggested the June incident could indicate an incomplete cleanup from that earlier breach, although Microsoft has not confirmed this theory.

In a community discussion, a Microsoft representative stated that the repositories were disabled because of an “internal management issue” and said that the company was continuing its investigation.

Microsoft also confirmed that it had notified a small number of customers who may have downloaded content from the affected repositories. The company said it would continue monitoring the situation and contact customers through support channels if any additional action becomes necessary.

Miasma Campaign Continues to Expand

Researchers believe the incident may be connected to the broader Miasma or Shai-Hulud supply chain campaign that has targeted multiple software ecosystems in recent months.

Security engineer Adnan Khan said the June 5 GitHub incident appeared to align with the same campaign that previously infected 32 npm packages associated with Red Hat.

Cloudsmith researchers reached a similar conclusion, suggesting that Microsoft’s Azure GitHub environment and the durabletask repository may have been compromised through the Miasma attack chain.

According to investigators, the attackers targeted popular AI-assisted development tools, including Claude Code, Gemini CLI, Visual Studio Code, and Cursor. Researchers believe the threat actors expanded their operation from compromised Red Hat npm packages into Microsoft-owned GitHub resources.

The original attack reportedly began after a Red Hat employee’s GitHub account was compromised, giving attackers access to the @redhat-cloud-services npm namespace.

Malicious PyPI Packages Also Discovered

OpenSourceMalware also reported that the durabletask package on PyPI was compromised through three malicious releases:

• durabletask 1.4.1
• durabletask 1.4.2
• durabletask 1.4.3

The malicious versions were reportedly published in May and formed part of the broader supply chain activity being investigated by security researchers.

While Microsoft says the affected GitHub repositories have been restored and verified as safe, the incident highlights how quickly software supply chain attacks can spread across development platforms and impact thousands of projects.

In other security news, Microsoft recently warned that a Netlogon vulnerability is being actively exploited in the wild and urged organizations to install security updates. Google has also patched its fifth Chrome zero-day vulnerability of 2026.

Via Bleeping Computer