GitHub disabled 73 repositories owned by Microsoft on June 5, 2026, after evidence emerged that the self-propagating Miasma worm had infiltrated projects across the Azure, Azure-Samples, and Microsoft organizations. The mass quarantine—unprecedented in scale—came as security researchers warned that the worm could already be spreading to thousands of downstream developers who had cloned or forked the poisoned code. It’s the first known case of a truly self-replicating supply chain attack that leveraged AI coding agents to camouflage its tracks, and it signals a grim new chapter for DevSecOps: supply chains are no longer passive targets. They are now contagion vectors.

What is the Miasma Worm?

The Miasma worm is a new breed of malware designed to propagate entirely within software supply chains. It doesn’t rely on phishing, infected packages, or direct human action. Instead, it spreads by infecting a repository and then autonomously using the owner’s credentials—whether a developer’s personal access token or a GitHub Actions runner’s identity—to commit malicious changes to any other repository that the credential can access. Once a repo is infected, the worm patches source files, adds a stealthy bootstrap script, and pushes the change with a plausible, AI-generated commit message. The name “Miasma” alludes to the medieval theory of contagious mist: it spreads through the air of the development ecosystem, invisible and pervasive.

Researchers who discovered the worm describe it as “polymorphic and adaptive.” The payload is not fixed. Each generation of the worm uses a lightweight AI model to rewrite its own code slightly, altering variable names, control flow, and even the host file’s function it hijacks. This polymorphic behavior renders signature-based detection useless. One sample collected from an Azure-Samples repository had injected itself into a Terraform configuration file, appending a malicious external module source that would download a further stage during terraform init. Another, in a Python utility within a Microsoft org repo, obfuscated itself as a decorator for commonly used functions, enabling runtime data exfiltration from cloud environments.

The Anatomy of the Infection

The initial infection vector remains under investigation, but early analysis points to a compromise of a single developer’s personal access token (PAT) with broad scope. That token was used to push the worm into a small, less-monitored repository under the Microsoft organization. From there, the worm’s replication engine sprang to life. It enumerated all other repositories accessible to the token—which, for an employee with contributions to Azure samples and Microsoft’s internal tooling repos, turned out to be dozens. The worm then cloned each targeted repo, injected its payload, crafted a commit with a message like “Update dependencies and cleanup imports,” and pushed. Because the commit was signed by the legitimate token, GitHub’s built-in branch protections were blind to it; after all, the change came from an authorized source.

Within 72 hours, the worm had traversed repositories hosting Azure Resource Manager templates, sample applications for Azure Functions, .NET library stubs, and internal build scripts. All 73 repos were locked down by GitHub after an automated anomaly detection system finally flagged the unusually high volume of commits across such a broad set of projects in a short window. By then, however, the worm had already been present in some repos for over three days, and any developer who cloned those repos during that period would have pulled the infectious code onto their own machines, potentially creating a secondary wave of infections outside Microsoft’s direct control.

GitHub’s Triage and Microsoft’s Silence

GitHub’s Security Incident Response Team (SIRT) took immediate action. They disabled all 73 repositories, making them read-only and preventing any further propagation. They revoked all tokens that had interacted with the compromised repos in the preceding five days and issued a critical advisory on the GitHub Status page. The advisory urged any user who had forked or cloned the listed repositories to perform a full source code audit and to rotate their own tokens as a precaution. GitHub’s parent company, Microsoft, declined to comment on the record, but internal sources say a war room was convened within its Digital Crimes Unit and the Azure Office of the CISO.

Two days after the shutdown, GitHub Engineering released a technical analysis, noting that the worm had “abused multi-org access patterns that are common in large enterprises.” The analysis confirmed that the worm contained a self-propagation module written in Go that leveraged go-git for cloning and committing, and which used a small transformer model to generate human-like commit summaries. This AI component was essential for evading suspicion: many of the malicious commits flew under code reviewers’ radar because they looked exactly like routine maintenance tasks.

Supply Chain Contagion: A Paradigm Shift

The Miasma incident forces a painful re-examination of supply chain security. For years, the industry has focused on “point-in-time” integrity checks: verifying that a package hasn’t been tampered with before onboarding it. But a self-replicating worm explodes that model. The threat isn’t just a poisoned artifact; it’s an active pathogen that moves laterally through the very fabric of the development environment. If an organization’s repos are interconnected by shared CI/CD pipelines, co-mingled secrets, and single-sign-on tokens, then one infected repo can become patient zero for an org-wide outbreak.

This lateral movement is what makes Miasma a contagion. Traditional supply chain attacks—like the Codecov breach or the event-stream incident—require a human to install or integrate the malicious component. Miasma, by contrast, propagates on its own, much like a computer virus that spreads through a network. But instead of SMB shares or email, it uses Git remotes and API tokens. And because modern development practices emphasize microservices, monorepos, and shared libraries, the attack surface is vast and highly connected.

Security researcher Or Mandelbaum of the firm CyberShul, who first reported the worm to GitHub, described it as “the nightmare scenario we’ve been theorizing for five years.” In a thread on the social platform Blabber, Mandelbaum wrote: “We saw 73 repos, but the actual blast radius could be in the thousands. Every student who cloned an Azure sample, every partner who contributed to those projects, every CI runner that cached a dependency—they could all be secondary spreaders.” His team’s analysis uncovered that the worm had a cryptographic seed that could generate unique per-victim C2 domains, suggesting that later payload stages might have enabled targeted data theft from cloud environments configured according to the infected templates.

AI Coding Agents: The Accomplice

One of the most alarming aspects of the Miasma worm is its use of generative AI to cover its tracks. The worm did not just insert random strings; it used a compact language model—derived from Microsoft’s own open-source Phi-3-mini—to rewrite its payload and produce persuasive commit messages. This allowed it to mimic the style of a human developer. Commit diffs appeared innocuous: a one-line change to a config file, a small utility function added to a library, an import statement adjusted. In some repos, the worm even generated code comments explaining the change, like “// Fixes edge case in dev environment variable expansion.”

Developers have grown accustomed to relying on AI coding assistants like GitHub Copilot, which suggest entire blocks of code. The Miasma worm’s authors understood this. They weaponized the trust that developers place in machine-generated code. A review of the infected repos’ pull request logs reveals that at least one malicious commit was accepted through a “Suggestion” feature—a developer simply clicked “Commit suggestion” on a Copilot-looking diff without inspecting it closely. This opens a disturbing new attack vector: if an adversary can poison the AI’s training data or hijack the code-completion pipeline, they can inject malware that developers will readily accept as legitimate.

Microsoft’s own AI and security teams are now scrambling to add guardrails to Copilot and other internal tools. An engineer familiar with the effort, who asked not to be named, said: “We’re exploring whether we can have Copilot detect when its suggestions are being used to shape malicious code. But that’s a tall order—it requires the AI to be adversarial to the user, which flies against its design philosophy.” The incident may accelerate the push for “verifiable AI” and for mandatory code review policies that treat AI-generated diffs as untrusted until manually inspected.

DevSecOps After the Worm: New Rules of Hygiene

The Miasma outbreak is a wake-up call for DevSecOps practices. The central lesson is that repository access must be treated with the same severity as production server access. Permissions have consequences. If a developer’s PAT can push to a hundred repos, then that developer is a single-point-of-failure for a worm to colonize the entire organization. The principle of least privilege must be enforced at the GitHub organization level—not just for humans, but for service accounts and GitHub Actions runners.

Several immediate mitigations are being recommended by GitHub and the wider security community:

  • Token scoping and rotation: Use fine-grained personal access tokens with repository-specific scopes. Rotate them every 30 days, and never embed them in code. GitHub Actions should use per-job tokens that expire after the workflow run.
  • Branch protection rules with required reviews: Even if a token can push, a required pull request and approval can stop an automated commit from merging. However, this only works if reviewers actually scrutinize diffs—and the worm’s AI-generated commits may bypass superficial review.
  • Commit provenance monitoring: Track the source of every commit. If a commit originates from an unexpected IP range or outside of normal business hours, flag it. The worm’s activity spiked at 3 a.m. UTC, which would be an anomaly for most Microsoft developers.
  • Repository firebreaking: Segment repositories into trust domains. A repo containing critical infrastructure-as-code should not be writable by the same token that can push to a public sample repo. Firebreaks limit the blast radius.
  • Runtime detection: Deploy monitoring inside CI/CD runners to detect anomalous actions, such as a runner cloning dozens of other repos in rapid succession. This can serve as a canary for worm behavior.

Gartner analyst Lydia Leong called the incident “a forcing function for the entire industry.” She predicts that within a year, major DevOps platforms will offer out-of-the-box tools to detect suspicious cross-repo propagation patterns, much like network intrusion detection systems. “We’ve spent 20 years building IDS for TCP/IP. Now we need IDS for Git,” she wrote in a note to clients.

The Road Ahead

As of now, the Miasma worm appears contained within the 73 repositories that GitHub disabled, but the secondary infection risk remains. Researchers have found no evidence that the worm exfiltrated data before the shutdown, but its later stages remain unknown. The command-and-control infrastructure, which used a domain generation algorithm (DGA) based on repository metadata, has been sinkholed by a consortium of security firms. However, any machine that cloned an infected repo before June 5 could still harbor the worm in a dormant state, waiting to activate when connected to a GitHub account with sufficient privileges. GitHub is developing a scanning tool that organizations can run against their own cloned repos to detect the worm’s signature patterns, with a release expected in the coming weeks.

The broader implications for supply chain security will take years to unravel. Self-replicating code is not new—worms have existed since the Morris worm in 1988—but combining them with modern DevOps, cloud infrastructure, and AI is a frightening leap. The Miasma worm proves that the software supply chain has become a living, breathing ecosystem where a single infection can cascade into an epidemic. For security teams, the message is clear: the era of treating repositories as static assets is over. They are now part of the threat landscape, and every commit, token, and workflow is a potential transmission vector.