Contact us
Contact us

News

About

Home Crypto News Miasma worm infects 73 Microsoft GitHub repos

Miasma worm infects 73 Microsoft GitHub repos

Author Whitewallet Research
Posted: 10 June 2026, 11:04 CET 2 min read

Attackers used a compromised Red Hat developer account and GitHub OIDC tokens to publish malicious npm packages that aim to harvest Azure and Google Cloud credentials.

Security researchers report the self-replicating Miasma worm reached 73 Microsoft GitHub repositories in early June after attackers compromised a Red Hat developer’s GitHub account. The actors injected unreviewed orphan commits that added a minimal GitHub Actions workflow to request OpenID Connect (OIDC) tokens, then used those tokens to build and publish 32 malicious npm package versions to the registry.

Because the builds used legitimate OIDC tokens, the published packages included valid SLSA provenance attestations. The provenance made the malicious releases look like routine, trusted updates to standard registry scanners. The worm generates a uniquely encrypted payload for each installation, so file signatures and hashes vary between infections and prevent broad detection based on static indicators.

Researchers tracing the activity attribute the campaign to the threat group TeamPCP and describe Miasma as an evolution of the Mini Shai-Hulud family. Earlier variants focused on scraping local secrets; Miasma includes collectors designed to harvest cloud identities from infected developer machines and any CI/CD runners it can reach. The code attempts to collect accounts and tokens for Microsoft Azure and Google Cloud Platform.

Microsoft notified a small number of customers who may have downloaded affected tools; the company has not disclosed a total download count. Security firms tracking the incident advise organizations using Azure and Red Hat tooling to assume potential secret exposure and rotate credentials and tokens.

Those firms also recommend reviewing CI/CD access controls, enforcing least privilege for federated tokens such as OIDC, and assuming compromised developer environments may have leaked keys or tokens.

Ilkka Turunen, field CTO at Sonatype, warned: “An attack that begins with a seemingly insignificant open source package can quickly cascade across organizations, platforms and users. Organizations need to treat the software supply chain as part of their security perimeter. The attackers already do.”

The incident shows attackers can use stolen developer credentials and legitimate automation tokens to produce malicious artifacts that appear authentic to supply-chain scanners.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE