GitHub disables Microsoft repos pushing password-stealing malware
On June 5, 2026, Microsoft removed 73 repositories from its GitHub organizations due to concerns over distribution of password-stealing malware linked to the Miasma/Shai-Hulud supply-chain campaign. The incident caused disruption to continuous integration pipelines, notably disabling the Azure/functions-action GitHub Action temporarily. The repositories were restored and deemed clean after investigation. Microsoft notified affected customers and continues to investigate. The malware campaign targeted open-source ecosystems, including prior compromises of Red Hat npm packages and Python packages on PyPI. No confirmed exploits in the wild have been reported for this specific incident.
AI Analysis
Technical Summary
Microsoft's GitHub repositories across Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations were disabled by GitHub staff due to violations of terms of service after being compromised in a supply-chain attack linked to the Miasma/Shai-Hulud malware campaign. The campaign involved injecting malicious workflows to steal credentials via GitHub OIDC tokens. The 'durabletask' repository was compromised in May, and malicious versions of the package were pushed to PyPI. The June 5 incident was contained within 105 seconds, and all repositories have since been restored and verified clean. The attack is part of a broader supply-chain threat targeting open-source AI coding tools and ecosystems. Microsoft has notified impacted customers and is continuing investigations.
Potential Impact
The immediate impact was disruption of continuous integration workflows, including outages of Azure Functions deployment pipelines due to removal of affected repositories. Potential exposure to password-stealing malware existed through compromised repositories and packages, though no confirmed exploitation in the wild has been reported. The incident highlights risks in software supply chains and the potential for widespread disruption in developer ecosystems.
Mitigation Recommendations
Microsoft has restored all affected repositories and confirmed they are clean and safe to use. Customers who may have pulled content from the affected repositories have been notified. Microsoft is continuing its investigation and will communicate directly if further customer action is required. Developers are advised to lock project dependencies, introduce delays in fetching new package updates, and test builds in isolated environments to mitigate supply-chain risks. No immediate action is required beyond following official communications from Microsoft.
GitHub disables Microsoft repos pushing password-stealing malware
Description
On June 5, 2026, Microsoft removed 73 repositories from its GitHub organizations due to concerns over distribution of password-stealing malware linked to the Miasma/Shai-Hulud supply-chain campaign. The incident caused disruption to continuous integration pipelines, notably disabling the Azure/functions-action GitHub Action temporarily. The repositories were restored and deemed clean after investigation. Microsoft notified affected customers and continues to investigate. The malware campaign targeted open-source ecosystems, including prior compromises of Red Hat npm packages and Python packages on PyPI. No confirmed exploits in the wild have been reported for this specific incident.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Microsoft's GitHub repositories across Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations were disabled by GitHub staff due to violations of terms of service after being compromised in a supply-chain attack linked to the Miasma/Shai-Hulud malware campaign. The campaign involved injecting malicious workflows to steal credentials via GitHub OIDC tokens. The 'durabletask' repository was compromised in May, and malicious versions of the package were pushed to PyPI. The June 5 incident was contained within 105 seconds, and all repositories have since been restored and verified clean. The attack is part of a broader supply-chain threat targeting open-source AI coding tools and ecosystems. Microsoft has notified impacted customers and is continuing investigations.
Potential Impact
The immediate impact was disruption of continuous integration workflows, including outages of Azure Functions deployment pipelines due to removal of affected repositories. Potential exposure to password-stealing malware existed through compromised repositories and packages, though no confirmed exploitation in the wild has been reported. The incident highlights risks in software supply chains and the potential for widespread disruption in developer ecosystems.
Mitigation Recommendations
Microsoft has restored all affected repositories and confirmed they are clean and safe to use. Customers who may have pulled content from the affected repositories have been notified. Microsoft is continuing its investigation and will communicate directly if further customer action is required. Developers are advised to lock project dependencies, introduce delays in fetching new package updates, and test builds in isolated environments to mitigate supply-chain risks. No immediate action is required beyond following official communications from Microsoft.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/github-disables-microsoft-repos-pushing-password-stealing-malware/","fetched":true,"fetchedAt":"2026-06-09T15:55:44.138Z","wordCount":843}
Threat ID: 6a2837808dd33fbd854e5aac
Added to database: 6/9/2026, 3:55:44 PM
Last enriched: 6/9/2026, 3:55:51 PM
Last updated: 6/9/2026, 9:39:41 PM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.