GitHub Nukes 70+ Microsoft Repos, Breaks CI/CD Pipelines, Following Suspected Worm Infections

Supply‑chain attacks on open‑source ecosystems have surged, and the latest GitHub incident underscores how quickly a single compromised account can cascade into a systemic outage. The Miasma worm, a descendant of the Mini Shai Hulud code, resurfaced after a May 19 PyPI intrusion that injected infostealers into the durabletask package. By leveraging a stolen token, the attacker pushed a malicious commit to Azure/durabletask, embedding configuration files that execute code when opened in modern development environments such as Claude Code, Gemini CLI, or Cursor. GitHub’s automated detection responded within minutes, but the damage—broken CI/CD pipelines and halted Azure deployments—was already evident.

Technical analysts note that the worm’s payload targets the very tools developers rely on for productivity, turning IDEs and AI assistants into infection vectors. The compromised Azure/functions-action workflow, a staple for deploying serverless functions, caused any pipeline referencing the action@v1 tag to fail, effectively freezing deployment pipelines across countless projects. Moreover, the reuse of tokens from the earlier PyPI breach suggests insufficient credential rotation, a common weak point that attackers exploit to maintain persistence across supply‑chain layers. The incident also reveals how quickly malicious commits can propagate through automated package managers and affect downstream consumers.

For enterprises, the episode is a stark reminder to enforce rigorous token hygiene, implement zero‑trust principles for contributor accounts, and adopt real‑time code‑integrity scanning. Continuous monitoring of repository activity, coupled with immutable audit logs, can flag anomalous commits before they trigger widespread execution. As open‑source components become integral to cloud-native workloads, organizations must treat supply‑chain security as a core operational priority, investing in both tooling and developer education to mitigate the risk of future worm‑based attacks.