Miasma supply-chain compromise disrupts Microsoft GitHub repositories

Attackers compromised **73 Microsoft open-source projects and repositories** in a **Miasma** supply-chain operation, prompting GitHub to disable access on **June 5** while potentially malicious content was investigated. The immediate effect was operational: **continuous integration pipelines** were interrupted and workflows that depended on **Azure/functions-action** briefly failed until repository access was restored. Microsoft later said it had temporarily removed some repositories during the review, restored some after inspection, and notified a **small number of customers** who may have pulled content from the affected repositories. Available material places the repository disruption inside the broader **Miasma/Shai-Hulud** thread that had already re-compromised projects such as **durabletask** and abused trusted open-source distribution channels. By the time the Microsoft disruption was public, the same operation had expanded into a fresh **PyPI** wave involving **23 additional packages**, showing that the operators were still changing delivery methods rather than relying on one implant format. Documented techniques in that expansion included **.pth** startup hooks, trojanized **.abi3.so** extensions, and a loader that searched **sys.path** for **_index.js**, with payloads aimed at developer workstations and **CI/CD** environments to steal secrets and exfiltrate them to a public GitHub repository. The available evidence supports a contained Microsoft repository action and an ongoing broader supply-chain campaign, but it does not establish the full downstream customer impact, the exact set of malicious files each affected repository carried, or whether every exposed developer environment was later abused. Response has centered on repository review, restoration where safe, customer outreach, and scrutiny of related packages and secrets.