Bottom line: A self-replicating worm exfiltrates developer credentials from Microsoft repositories when AI-powered programming tools load the infected packages.
On June 5, 2026, GitHub disabled 73 Microsoft repositories following discovery of the Miasma worm, which specifically targets developer passwords and API keys. The threat group TeamPCP uses the self-replicating malware to gain access to authentication data through compromised developer tools.
GitHub deactivated a total of 73 repositories from four Microsoft organizations on June 5, 2026 within an automated cleanup run lasting 105 seconds: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The platform initially cited violations of its terms of service as the reason for the shutdown. The following Monday, Microsoft officially confirmed that the affected software packages were infected with malware and announced an investigation.
The worm designated as Miasma is specifically aimed at developer environments. It activates automatically whenever developers open certain AI-powered programming tools that access the infected packages. Upon activation, the worm exfiltrates passwords, authentication tokens, API keys, and other sensitive credentials from local workstations. The affected repositories featured cryptographic verification, which made them appear trustworthy to automated systems.
Source: www.it-daily.net · Published June 15, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.