The Miasma worm, a self-replicating supply chain attack, has compromised 73 Microsoft GitHub repositories across four organizations—Azure, Azure-Samples, Microsoft, and MicrosoftDocs—and deployed a 4.3 MB payload that auto-executes when opened in AI coding tools and through the npm test script.

The incident underscores broader weaknesses in open-source software delivery trust models and the urgent need to strengthen supply chain security across ecosystems.

A notable element is the re-compromise of the durabletask PyPI package, previously infected by TeamPCP to deliver an information stealer on Linux systems.

The attack marks a shift toward targeting AI coding assistants, leveraging the trust in publishers and registries by delivering malicious updates as legitimate code from authenticated maintainers.

Security researcher analysis suggests the compromise ripples through the entire Durable Task ecosystem, implying credential loss and re-exposure across multiple languages and platforms.

Impact details include Azure-related repositories such as azure-search-openai-demo-purviewdatasecurity, durabletask and variants, and several other project names affected or listed as compromised.

The campaign builds on May compromises tied to the durabletask PyPI package and is linked to the Miasma/mini Shai-Hulud lineage evolving across npm and PyPI.

Attackers harvested credentials for cloud and developer ecosystems (AWS, Azure, Google Cloud, Kubernetes, npm, GitHub) and used stolen tokens to propagate to writable repositories, broadening the reach.

Open-source supply-chain threats are maturing, with the worm bypassing npm registry and delivering payloads directly to source repositories—an AI-assisted development threat landscape.

The attack has bypassed the npm registry by pushing malicious code directly to specific GitHub repos via a dropper that connects to developer tools and CI/CD workflows, with a SafeDep 4.3 MB payload runner activated when developers clone affected repos and use AI coding agents.

GitHub temporarily disabled access to the affected repositories, including Azure/azure-functions-host, due to violations of terms of service.

Analysts stress that the attack exploits the trust model of software distribution platforms rather than a platform vulnerability, complicating detection and containment.