News
Supply Chain Attack Hits Microsoft GitHub Repos, AI Coding Tools
GitHub disabled 73 Microsoft repositories on June 5 after a malicious commit landed in an Azure project, in what researchers described as a supply chain attack aimed at developer workstations and AI coding environments.
The incident, which was brought to light by an analysis by security firm StepSecurity, was tied to the Miasma worm campaign and affected repositories across four Microsoft GitHub organizations, including Azure Functions projects, Durable Task components, Azure Samples and Microsoft documentation. StepSecurity said the most immediate disruption came from the temporary disabling of Azure/functions-action, the official GitHub Action used by many devs to deploy Azure Functions.
"On June 5, 2026, the Miasma worm campaign reached Microsoft's Azure GitHub organizations," StepSecurity said. "GitHub disabled 73 repositories across four Microsoft GitHub organizations after a malicious commit was pushed to the Azure/durabletask repository using a previously compromised contributor account."
Microsoft, in a Microsoft Learn Q&A thread, described the Azure/functions-action outage as an "internal management issue" that was under investigation. A Microsoft moderator later said access had been restored.
This latest incident the second time in recent weeks that Microsoft's durabletask ecosystem has surfaced in a supply chain attack. In May, StepSecurity reported that three malicious versions of Microsoft's durabletask Python SDK -- 1.4.1, 1.4.2 and 1.4.3 -- had been posted to PyPI before being removed.
According to the security firm, this time the attacker took a different approach. Instead of trying to compromise developers through a poisoned software package, the threat actor targeted the tools devs use to work with code. A malicious commit was pushed to the Azure/durabletask repository using the same contributor account linked to the earlier PyPI incident, according to the report.
The commit did not alter the project's source code. StepSecurity said it added configuration files that could trigger a credential-stealing payload when the repository was opened in Claude Code, Gemini CLI, Cursor or Visual Studio Code.
"The shift from 'execute on package install' to 'execute on folder open' is significant," StepSecurity said. "Supply chain defenses have historically focused on package install hooks."
The malicious files included Claude and Gemini settings, a Cursor rule, a VS Code task file and a 4.6 MB obfuscated JavaScript payload. StepSecurity said the setup made cloning the repository safe, but opening it in certain tools potentially dangerous.
"Cloning the repository is safe. Opening it is not," the company said.
StepSecurity said GitHub disabled the repositories in two waves over 105 seconds, suggesting the response was automated rather than a manual takedown. The affected projects included Azure Functions runtime components, language workers, extension bundles, Durable Task SDKs and AI-related samples.
The shutdown also caused problems for developers using Azure/functions-action in GitHub Actions workflows. According to StepSecurity, workflows that referenced Azure/functions-action@v1 stopped working while the repository was unavailable.
StepSecurity urged developers who cloned affected repositories after June 2 and opened them in VS Code, Claude Code, Cursor or Gemini CLI to assume their systems may have been compromised. The company recommended rotating credentials, including GitHub tokens, cloud keys, service principals, SSH keys, Kubernetes secrets and environment variables.