- Threat actor reused unrooted GitHub Actions secrets to compromise 73 Microsoft repos
- Miasma worm planted across Azure, Microsoft, Azure-Samples and MicrosoftDocs organizations
- Microsoft pulled affected repos, notified affected customers and is continuing the investigation
GitHub has disabled 73 of Microsoft’s repositories after a threat actor allegedly used credentials stolen a month ago to break in and plant an info stealer.
The news was confirmed by security firm Cloudsmith and community-run malware analysis site OpenSourceMalware, which revealed that in mid-May 2026, someone (most likely TeamPCP) used stolen Microsoft’s GitHub Actions secrets to release malicious PyPI packages. Although these were quickly pulled from the platform, it appears that Microsoft never rotted the secrets used in this attack.
Now it appears that the same threat actor used the same credentials to compromise 73 new repositories spanning four GitHub organizations: Azure, Azure-Samples, microsoft, and MicrosoftDocs. The Azure organization bore the brunt, losing 49 repos, pretty much everything the Functions team ships.
Significant fallout
The main difference is that this time it was not the Mini Shai-Hulud worm that was distributed, but rather the Miasma worm, a spin-off that arose after the TeamPCP open-source Mini Shai-Hulud.
The researchers say the practical fallout was quite significant, as some libraries run inside the pipelines of others. For example, every workflow that references Azure/functions-action@v1 stopped resolving.
This was told by Microsoft spokesman Ben Hope TechCrunch the company has “temporarily removed some inventory as we investigated potentially harmful content.”
“Some of these repositories have been restored following review, while others may remain offline while work continues,” Hope added. “As part of our investigation, we notified a small number of customers who may have pulled content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels.”
Microsoft couldn’t say how many customers the incident affected, but it’s safe to assume it’s in the tens of thousands, if not more.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
