Miasma Supply Chain Worm Infects 73 Microsoft Repositories

Attackers have deployed a self-propagating worm, dubbed Miasma, that has infiltrated 73 Microsoft repositories on GitHub. The campaign leverages a GitHub account compromised in a prior Miasmi-related breach last month, indicating a sustained, targeted campaign against Microsoft's development infrastructure.

The worm's ability to self-replicate across repositories marks a significant escalation in supply chain attacks. Unlike typical malware that relies on manual propagation, Miasma autonomously spreads, increasing the potential for widespread compromise of downstream software that depends on these repositories. The full scope of affected code and any malicious modifications remains under investigation.

Technical analysis reveals the worm exploits stolen credentials from the earlier GitHub account breach to inject malicious code into repository files. Once planted, it automatically duplicates itself into connected repositories, effectively creating a network of tainted codebases. Indicators of compromise include unexpected commits from the compromised account and unauthorized changes to repository contents.

Microsoft has not yet released a public patch or workaround specific to Miasma, but the company is actively investigating the 73 affected repositories. Developers who use code from these repositories are advised to audit their dependencies and review commit histories for unusual activity. GitHub is expected to revoke access for the compromised account and enhance authentication controls.

Attribution remains unclear, though the use of a previously compromised GitHub account suggests a methodical, long-term approach by the threat actors. The incident underscores the growing risk of supply chain attacks targeting centralized code repositories, where a single breach can cascade across thousands of downstream projects.