Microsoft Halts 73 GitHub Repositories After Hackers Target AI Coding Assistants

2026-06-09 companies

Redmond, Monday, 8 June 2026.
On June 5, 2026, Microsoft disabled 73 GitHub repositories following a severe cyberattack. The malware uniquely exploits AI coding assistants to silently harvest sensitive developer credentials.

The Anatomy of the Miasma Worm Breach

On Friday, June 5, 2026, code-hosting platform GitHub executed a rapid 105-second sweep, disabling 73 repositories belonging to Microsoft Corporation (MSFT) [1][GPT]. The impacted assets spanned four organizational units, including the entirety of the Azure Functions organization, the Durable Task family, and various AI sample applications [1][2]. This decisive action was triggered by the discovery of a self-replicating malware campaign known as the Miasma worm [2][3].

TeamPCP and the Supply Chain Crisis

The Miasma worm is an advanced iteration of the ‘Mini Shai-Hulud’ framework, an open-source worm published by the threat group TeamPCP in mid-May 2026 [2][3][6]. TeamPCP has aggressively targeted the open-source software ecosystem; the group recently boasted on an underground forum about hacking thousands of GitHub internal repositories, offering the allegedly stolen source code to buyers for a minimum of $50,000 [5]. [alert! ‘The exact number of repositories claimed by TeamPCP varies, with the threat actor citing 4,000 while other reports state approximately 3,800 impacted internal repositories’]

Evolving Threats in AI Workflows

The malware’s sophistication lies in its ability to bypass conventional security scanners. By using stolen developer credentials to obtain legitimate GitHub OpenID Connect (OIDC) tokens, the attackers published builds with valid Supply Chain Levels for Software Artifacts (SLSA) provenance attestations [4][6]. The worm then generates uniquely encrypted payloads for each infection, rendering traditional hash-based security measures ineffective [4].

Sources

Artificial intelligence Cybersecurity