Protect.Computer
NEWS

Miasma Worm Infected 73 Microsoft Code Repositories

· 1 min read · Malicious byte Got hacked
Miasma Worm Infected 73 Microsoft Code Repositories

A piece of malware known as the Miasma worm has been found inside 73 repositories belonging to Microsoft on GitHub, the world’s largest code hosting platform. The affected repositories include official Microsoft projects in the Azure cloud and developer tooling areas — meaning the malicious code was sitting inside software that millions of developers rely on. Microsoft has been notified and is working to clean the repositories.

What makes Miasma unusual is that it spreads like a biological worm: once it infects a repository, it uses that repository to infect the next developer who clones or opens the project. The worm plants a hidden 4.3 MB runner program and wires it to launch automatically through five popular developer tools — Claude Code, Gemini CLI, Cursor, VS Code, and npm test scripts. Once running on a developer’s machine, it steals stored credentials and repository secrets, then tries to spread further by compromising that developer’s own projects and repositories.

How to check if you’re affected

Affected versions include Microsoft’s Durable Task npm packages (for .NET, Go, JavaScript, and MSSQL), the PyPI durabletask package, Azure Functions related libraries, and the icflorescu/mantine-datatable package. If you are a developer who has cloned, installed, or worked with any of these projects in the past several weeks, your machine and credentials may have been compromised.

Steps to take:

  • Rotate credentials immediately: revoke and regenerate any GitHub tokens, API keys, or cloud credentials stored on machines where you worked with affected repositories.
  • Check your own repositories for unexpected files, unusual commits, or new collaborators you don’t recognize.
  • Scan your development environment with an up-to-date antivirus or endpoint security tool for the 4.3 MB payload runner.
  • Update affected packages to the latest patched versions once Microsoft publishes remediated releases.
  • Until patched versions are confirmed clean, avoid opening affected repositories inside AI coding agents (Claude Code, Gemini CLI, Cursor).

Sources

Related reading

News
DAEMON Tools Installers Hijacked to Spread Malware

Hackers replaced the official DAEMON Tools installer with a malware-laced version. If you downloaded the software recently, your computer may be infected.

News
The Gentlemen Ransomware Spreads Like a Worm Across Networks

A new ransomware gang called The Gentlemen has claimed 478 victims and built self-spreading worm capabilities that can silently infect every device on a network without any extra effort from attackers.

News
Russian Hackers Exploit Old WinRAR Flaw to Steal Files

Russian state-linked group Gamaredon is actively exploiting a known WinRAR vulnerability (CVE-2025-8088) to deploy info-stealing malware — update WinRAR if you use it.

News
AI Is Helping Hackers Build Attacks Faster Than Defenses Can Keep Up

Security researchers warn that AI tools are letting attackers develop working exploits within hours of a vulnerability being discovered — far faster than organizations can patch.