Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack

A self-replicating worm called Miasma has compromised 73 Microsoft repositories across four GitHub organizations, marking a serious escalation in supply chain attack tactics. The affected organizations include Azure, Azure-Samples, Microsoft, and MicrosoftDocs. GitHub disabled access to the compromised repositories in response.

Miasma operates as a self-propagating worm, meaning it spreads automatically without requiring manual intervention from attackers once deployed. This characteristic makes it particularly dangerous in development environments where code repositories serve as central distribution points for software consumed by thousands of organizations downstream.

The attack targets the software supply chain at a critical juncture. Repositories hosted on GitHub serve as trusted sources for developers globally. Compromised code repositories can inject malicious payloads into libraries, tools, and applications that depend on Microsoft's open-source projects. Organizations that pull code from these repositories risk inadvertently incorporating the worm into their own systems and products.

Microsoft's four affected organizations span critical infrastructure areas. Azure repositories contain cloud infrastructure code. Azure-Samples hosts example applications for developers building on Azure. MicrosoftDocs includes documentation repositories, and the Microsoft organization itself holds core projects. The breadth across these organizations suggests the attack had time to propagate before detection.

GitHub's decision to disable access to the repositories contains the immediate damage but raises questions about how the worm gained write access to Microsoft's own repositories. Supply chain attacks of this caliber typically require compromised credentials or exploited CI/CD pipeline vulnerabilities.

OpenSourceMalware reported the incident, indicating security researchers are actively monitoring GitHub for similar malware campaigns. Miasma joins a growing list of self-replicating threats targeting development platforms, including previous worms that have compromised npm packages and other repository ecosystems.

Organizations using code from these Microsoft repositories should audit their dependency chains immediately. Developers should