- Threat actor reused unrotated GitHub Actions secrets to compromise 73 Microsoft repositories
- Miasma Worm Planted in Azure, Microsoft, Azure-Samples, and MicrosoftDocs Organizations
- Microsoft removed affected repositories, notified affected customers, and investigation continues
GitHub has disabled 73 of Microsoft’s repositories after a threat actor allegedly used stolen credentials a month ago to break in and plant a data thief.
The news was confirmed by security firm Cloudsmith and community-driven malware analysis site OpenSourceMalware, which revealed that in mid-May 2026, someone (most likely TeamPCP) used secrets stolen from Microsoft’s GitHub Actions to publish malicious PyPI packages. While these were quickly removed from the platform, it appears that Microsoft never rotated the secrets used in this attack.
Now, it appears that the same threat actor used the same credentials to compromise 73 new repositories, spanning four GitHub organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The Azure organization was the hardest hit, losing 49 repositories, essentially everything the Features team ships.
significant consequences
The key difference is that this time it was not the Mini Shai-Hulud worm that was distributed, but the Miasma worm, a spin-off that emerged after TeamPCP’s open source Mini Shai-Hulud.
The researchers say the practical consequences were quite significant, as some libraries operate inside other people’s pipes. For example, all workflows referencing Azure/functions-action@v1 stopped resolving.
Microsoft spokesman Ben Hope said TechCrunch the company has “temporarily removed some repositories while we investigate possible malicious content.”
“Some of these repositories have been restored after the patch, while others may remain offline while work continues,” Hope added. “As part of our investigation, we notified a small number of customers who may have removed content from affected repositories. We will continue to investigate, and if anything else is identified that requires customer action, we will communicate directly through our established support channels.”
Microsoft couldn’t say how many customers the incident affected, but it’s safe to assume it’s tens of thousands, if not more.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
