• Threat actor reused unrotated GitHub Actions secrets to compromise 73 Microsoft repos
• Miasma worm planted across Azure, microsoft, Azure‑Samples, and MicrosoftDocs orgs
• Microsoft pulled affected repos, notified impacted customers, and continues investigation

GitHub has disabled 73 of Microsoft’s repositories after a threat actor allegedly used credentials stolen a month ago to break in and plant an infostealer.

The news was confirmed by security firm Cloudsmith and community-driven malware analysis site OpenSourceMalware, which revealed that in mid-May 2026, someone (most likely TeamPCP) used stolen Microsoft’s GitHub Actions secrets to publish malicious PyPI packages. While these were quickly yanked from the platform, it seems that Microsoft never rotated the secrets used in this attack.

Now, it would appear that the same threat actor used the same credentials to compromise 73 new repositories, spanning four GitHub organizations: Azure, Azure-Samples, microsoft, and MicrosoftDocs. The Azure org bore the brunt, losing 49 repos, essentially everything the Functions team ships.

Significant fallout

The key difference is that this time it wasn’t the Mini Shai-Hulud worm that was being distributed, but rather the Miasma worm, a spin-off that emerged after TeamPCP open-sourced Mini Shai-Hulud.

The researchers are saying that the practical fallout was quite significant, as some libraries run inside other people’s pipelines. For example, every workflow referencing Azure/functions-action@v1 stopped resolving.

Microsoft spokesperson Ben Hope told TechCrunch the company has “temporarily removed some repositories as we investigated potential malicious content.”

“Some of these repos have been restored after review, while others may remain offline while work continues,” Hope added. “As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels.”

Microsoft could not say how many customers the incident affected, but it is safe to assume that it is in the tens of thousands, if not more.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.