NSFOCUS • 2h
Miasma Worm Supply Chain Attack on Microsoft GitHub
On June 5, 2026, threat actor TeamPCP deployed the Miasma worm, a self-replicating supply chain malware targeting Microsoft’s GitHub infrastructure. The attack exploited the integration of AI coding agents within VS Code to execute malicious payloads immediately upon workspace initialization, bypassing traditional dependency installation triggers. This automated execution vector enabled the disabling of 73 Microsoft-owned repositories in 105 seconds. The worm specifically targeted Azure Functions and GitHub Actions, exfiltrating GitHub tokens that exhibited extreme persistence, surviving full machine rebuilds to maintain unauthorized access to cloud automation services.