Microsoft Shuts Down Dozens of GitHub Repositories After Malware Harvests Credentials in Claude Code

Microsoft shut down access to dozens of its own repositories on GitHub, including those related to Azure and AI coding agents, as it investigated a data breach involving malware that would harvest credentials when opened in AI coding tools like Claude Code or Gemini CLI.

“Microsoft has shut down a wave of its own repositories on GitHub, including those related to Azure and AI coding agents, as it investigates a data breach, according to research from cybersecurity researchers and a statement given to 404 Media by Microsoft”

404 Media

Ars Technica said multiple researchers flagged 73 cryptographically verified open source packages as malicious when automated systems on GitHub blocked them on the platform, and it said Microsoft-owned GitHub disabled the packages "due to a violation of GitHub’s terms of service."

404 Media

TechCrunch reported Microsoft spokesperson Ben Hope told the outlet that the company has “temporarily removed some repositories as we investigated potential malicious content.”

The Register described GitHub disabling 70+ Microsoft repos and said the takedowns broke CI/CD pipelines following suspected worm infections, while Computing UK said GitHub disabled access to at least 73 repositories across four Microsoft organisations after they were compromised.

Researchers and security firms said the malware was designed to steal passwords and other sensitive credentials when developers opened the compromised tools in AI coding applications, with TechCrunch citing Cloudsmith and OpenSourceMalware as early flaggers of the hack.

Computing UK said the malicious additions installed a large payload designed to activate automatically through widely used developer tools and AI-assisted coding environments, including Claude Code, Gemini CLI, Cursor and Visual Studio Code.

Ars Technica

Ars Technica reported that the compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations.

Ars Technica also said the malware used in the attack is tracked as Miasma and described it as a clone of TeamPCP’s Mini Shai-Hulud toolkit, while Ars Technica added that the attack was linked to a threat actor tracked as TeamPCP.

The Microsoft incident was framed as a second supply-chain attack in as many months, with Ars Technica saying it was the second supply-chain attack in as many months to breach an official Microsoft repository account after a mid-May compromise of Microsoft’s durabletask Python SDK on PyPI.

“Microsoft’s GitHub repositories taken offline amid Miasma supply chain attack Miasma, a self-replicating malware strain, has evolved from the Mini Shai-Hulud worm Dozens of Microsoft-owned software repositories have been taken offline following a major cyberattack linked to the rapidly spreading Miasma malware campaign”

Computing UK

Ars Technica reported that the durabletask package received 400,000 downloads per month and that the durabletask compromise was documented by StepSecurity, while it said the latest incident made use of functionality to steal a legitimate Microsoft OIDC token.

Computing UK quoted a GitHub notice that read, "Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service," and it said users attempting to access some repositories were greeted with that notice.

Ars Technica said security firm Cloudsmith reported the malware harvests OIDC (OpenID-Connect) token credentials used in SLSA provenance attestation, and it added that the technique allows attackers to bypass the repository’s build pipeline entirely.