By stepsecurity.io
Publication Date: 2026-06-05 12:00:00
On June 5, 2026, the Miasma worm campaign reached Microsoft’s Azure GitHub organizations. GitHub disabled 73 repositories across four Microsoft GitHub organizations after a malicious commit was pushed to the Azure/durabletask repository using a previously compromised contributor account. The attack planted configuration files that execute a credential-harvesting payload when a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code.
Background
On May 19, we reported that three malicious versions of Microsoft’s durabletask PyPI package were uploaded in a 35-minute window, planting a credential-harvesting payload that steals secrets from AWS, Azure, GCP, Kubernetes, and 90+ developer tool configurations. The attacker bypassed the repository’s CI/CD pipeline entirely and uploaded directly to PyPI using a compromised publishing token.
On June 5, the same contributor account was used again to push a malicious commit directly into the Azure/durabletask GitHub…
