Back to Intelligence

Miasma Worm Supply Chain Attack: Analysis & Defending Microsoft GitHub Repositories

SA
Security Arsenal Team
June 6, 2026
5 min read

Introduction

Security Arsenal is actively tracking a critical supply chain campaign dubbed the "Miasma" worm. This self-replicating threat has successfully infiltrated 73 Microsoft GitHub repositories across four primary organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. GitHub has been forced to disable access to these repositories to contain the spread.

For defenders, this highlights a painful reality: even the most mature development environments are susceptible to automated, self-propagating repository worms. The integrity of CI/CD pipelines and the trust in public repositories are currently at risk. Organizations utilizing samples or code from these specific Microsoft orgs must immediately assess their environments for potential compromise.

Technical Analysis

Affected Products & Platforms

  • Platform: GitHub (SaaS)
  • Affected Organizations: Azure, Azure-Samples, Microsoft, MicrosoftDocs
  • Scope: 73 repositories confirmed disabled by GitHub.

Vulnerability & Threat Mechanism

While no specific CVE has been assigned to this campaign (indicating a functional abuse of platform features or compromised credentials rather than a software vulnerability), the Miasma worm operates via a self-replicating supply chain mechanism.

  • Attack Vector: The worm likely abuses repository tokens or Actions to automate forking, cloning, or modifying repository contents. By targeting "Samples" repositories, the attackers increase the likelihood that developers will clone compromised code into local development environments or internal CI/CD pipelines.
  • Propagation: As a self-replicating worm, Miasma does not require manual intervention to spread. It likely leverages the GitHub API to identify targets and replicate its payload across linked repositories or forks.
  • Exploitation Status: Confirmed Active Exploitation. GitHub has taken the drastic step of disabling repository access, indicating active containment measures are underway. This is not a theoretical proof-of-concept; it is an active incident affecting critical infrastructure documentation and sample code.

Detection & Response

Detecting a repository worm requires looking beyond the endpoint and into the version control activity and process execution chains related to development tools. The following rules focus on identifying unusual Git behavior and suspicious execution patterns often associated with supply chain compromises.

SIGMA Rules

YAML
---
title: Suspicious Git Remote Modification - Miasma Indicators
id: 8a4d9e12-5b6c-4d1f-9a8e-2b3c4d5e6f7a
status: experimental
description: Detects suspicious modifications to Git remote URLs, often associated with repository worms redirecting traffic or pushing to malicious origins.
references:
  - https://github.com/security-lab
date: 2026/06/01
author: Security Arsenal
tags:
  - attack.defense_evasion
  - attack.t1021.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\git.exe'
      - '\gh.exe'
    CommandLine|contains:
      - 'remote add'
      - 'remote set-url'
      - 'remote update'
  condition: selection
falsepositives:
  - Legitimate developer repository management
level: medium
---
title: Azure Samples Directory Suspicious Child Process
id: 9b5e0f23-6c7d-5e2g-0b9f-3c4d5e6f7g8h
status: experimental
description: Detects processes spawned from within Azure sample directories often cloned by developers, potentially indicating execution of malicious payloads from the Miasma campaign.
references:
  - Internal Security Arsenal Research
date: 2026/06/01
author: Security Arsenal
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - '\Azure-Samples'
      - '\azure-samples'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
  filter:
    CommandLine|contains:
      - 'npm install'
      - 'dotnet build'
      - 'python -m pip'
  condition: selection and not filter
falsepositives:
  - Legitimate build processes within sample directories
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious Git activity and PowerShell execution linked to Azure samples
let TimeWindow = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| where FileName in~ ('git.exe', 'gh.exe', 'powershell.exe')
| where ProcessCommandLine has_any ('remote', 'clone', 'pull')
| where FolderPath has_any ('Azure-Samples', 'azure-samples', 'MicrosoftDocs')
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recently modified .git/config files in user directories
-- which may indicate unauthorized remote modifications by the Miasma worm
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='/*/.git/config', root=fsPaths='/Users/', accessor='auto')
WHERE Mtime > now() - 24h
  AND Size > 0

-- Check for suspicious processes spawning from Git related directories
SELECT Pid, Name, CommandLine, Exe, ParentPid
FROM pslist()
WHERE Exe =~ 'git' OR Exe =~ 'gh'
   AND CommandLine =~ 'remote'

Remediation Script (PowerShell)

PowerShell
# Audit Script: Check for local clones of impacted Microsoft Repositories
# Run this on developer workstations to identify potential compromised code

$ImpactedOrgs = @("Azure", "Azure-Samples", "Microsoft", "MicrosoftDocs")
$SuspiciousPaths = @()

# Scan common user directories for git repos
Get-ChildItem -Path "$env:USERPROFILE\*" -Directory -ErrorAction SilentlyContinue | ForEach-Object {
    $gitConfig = Join-Path -Path $_.FullName -ChildPath ".git\config"
    if (Test-Path $gitConfig) {
        $content = Get-Content $gitConfig -Raw
        foreach ($org in $ImpactedOrgs) {
            if ($content -match "github.com[/:]$org") {
                $SuspiciousPaths += $_.FullName
                Write-Host "[!] Potential impacted repo found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

if ($SuspiciousPaths.Count -eq 0) {
    Write-Host "No repositories from impacted organizations found in user profile." -ForegroundColor Green
} else {
    Write-Host "Action Required: Review the identified repositories immediately." -ForegroundColor Yellow
}

Remediation

  1. Immediate Inventory: Identify all internal code that has been forked or cloned from the Azure, Azure-Samples, Microsoft, and MicrosoftDocs GitHub organizations within the last 30 days.
  2. Repository Lockdown: GitHub has disabled access to the 73 affected repositories. Do not attempt to re-enable or interact with these repositories until an official "all-clear" is issued by Microsoft.
  3. Credential Rotation: If your CI/CD pipelines or developer accounts used Personal Access Tokens (PATs) to interact with these repositories, treat those tokens as compromised. Rotate them immediately.
  4. Code Audit: Review the package., requirements.txt, or similar dependency files in any code originating from these orgs. The Miasma worm may have injected malicious dependencies.
  5. Developer Sanitization: Run the provided PowerShell audit script on all developer endpoints. If a compromised repo is found locally, isolate the machine and remove the directory until it can be forensically analyzed.
  6. Official Advisory: Monitor the Microsoft Security Response Center and the official GitHub blog for the specific list of SHA hashes and repository names involved in the Miasma campaign to fine-tune your blocklists.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachgithubsupply-chainmiasma-worm

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action