Microsoft disables over 70 GitHub repos after hackers compromised them with dangerous malware

1. Pro
2. Security

Microsoft disables over 70 GitHub repos after hackers compromised them with dangerous malware News By Sead Fadilpašić published 9 June 2026

Someone forgot to change compromised credentials

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Gil C / Shutterstock)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter

• Threat actor reused unrotated GitHub Actions secrets to compromise 73 Microsoft repos
• Miasma worm planted across Azure, microsoft, Azure‑Samples, and MicrosoftDocs orgs
• Microsoft pulled affected repos, notified impacted customers, and continues investigation

GitHub has disabled 73 of Microsoft’s repositories after a threat actor allegedly used credentials stolen a month ago to break in and plant an infostealer.

The news was confirmed by security firm Cloudsmith and community-driven malware analysis site OpenSourceMalware, which revealed that in mid-May 2026, someone (most likely TeamPCP) used stolen Microsoft’s GitHub Actions secrets to publish malicious PyPI packages. While these were quickly yanked from the platform, it seems that Microsoft never rotated the secrets used in this attack.

Now, it would appear that the same threat actor used the same credentials to compromise 73 new repositories, spanning four GitHub organizations: Azure, Azure-Samples, microsoft, and MicrosoftDocs. The Azure org bore the brunt, losing 49 repos, essentially everything the Functions team ships.

Latest Videos FromWatch full video here:

Significant fallout

The key difference is that this time it wasn’t the Mini Shai-Hulud worm that was being distributed, but rather the Miasma worm, a spin-off that emerged after TeamPCP open-sourced Mini Shai-Hulud.

The researchers are saying that the practical fallout was quite significant, as some libraries run inside other people’s pipelines. For example, every workflow referencing Azure/functions-action@v1 stopped resolving.

You may like

• GitHub hit with another major attack — Megalodon hits over 5,000 repos with malware-laden commits
• Mini Shai-Halud hackers publish over 600 compromised npm packages
• GitHub confirms breach — thousands of internal repositories hit

Microsoft spokesperson Ben Hope told TechCrunch the company has “temporarily removed some repositories as we investigated potential malicious content.”

“Some of these repos have been restored after review, while others may remain offline while work continues,” Hope added. “As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Microsoft could not say how many customers the incident affected, but it is safe to assume that it is in the tens of thousands, if not more.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS Microsoft CATEGORIES Cyber Security Computing Security Computing Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Security GitHub hit with another major attack — Megalodon hits over 5,000 repos with malware-laden commits    Security Mini Shai-Halud hackers publish over 600 compromised npm packages    Security GitHub confirms breach — thousands of internal repositories hit    Security Compromised Red Hat npm packages downloaded over 80,000 times in one week – supply chain attack still ongoing    Security Be careful what you click - hackers use Claude Code leak to push malware    Security Top open source PyPI package with over 1 million downloads each month hacked to send out malware    Latest in Security Pro New iOS 27 Passwords app can automatically change your passwords for you    Security Check Point says VPN attacks caused by Qilin ransomware group    Security Update Chrome now — Google patches new zero-day flaw already being exploited    Security US citizen pleads guilty to spying for the People's Republic of China    Security WordPress users beware — experts claim sites are being hijacked using a critical flaw in popular Everest Forms Pro plugin    Security Experts warn of Silent Ransom Group breaking into businesses    Latest in News Gaming Hold out for a little longer FromSoft fans — The Duskbloods will get a closed network test this summer, but a release date for the full game has yet to be announced    Gaming The rumors were true! The Legend of Zelda: Ocarina of Time 'will be reborn' on Nintendo Switch 2 this year    Pro The working class are rallying to oppose data centers at 5 times the rate of wealthy neighborhoods – the great unifier is helping workers punch up, and it's super effective    VPN Privacy & Security Russia’s solution to its VPN crackdown breaking the internet? A state-owned VPN    VPN Privacy & Security ‘Surveillance is not safety’ — UK’s device scanning order faces privacy backlash    Hulu The Bear season 5 finally has a trailer — and it looks like the most stressful chapter yet    LATEST ARTICLES

1. 1Best World Cup 2026 eSIM deals — Stay connected from the opening game to the final whistle
2. 2Amazon wants to end dodgy knockoffs with its own AI-generated custom merch printing
3. 3Secretlab's already perfected the gaming chair — and now it's going for the home office market with its new Atlas model
4. 4Hands on: I've spent over 35 hours sitting in Secretlab's new Atlas task chair and there's a lot I like about it — but I'm still not sure it will dethrone my Herman Miller
5. 5Bowers & Wilkins just blew me away with its new 801 D5 speakers — here’s what I made of the model after attending a demo at at High End Vienna