Executive Summary
The Miasma supply chain attack crossed two new boundaries between June 5 and June 7, 2026. On June 5, a recompromised contributor account pushed a malicious commit into Microsoft’s Azure/durabletask GitHub repository, planting configuration files that execute a credential-harvesting payload the moment a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code. GitHub’s automated enforcement disabled 73 repositories across four Microsoft GitHub organizations in a 105-second sweep. Azure/functions-action, the official GitHub Action for deploying Azure Functions, went dark, breaking CI/CD pipelines globally.
Two days later, on June 7, Socket detected 37 malicious Python wheel artifacts across 19 PyPI packages. The Hades variant uses Python .pth startup hooks to execute a Bun-powered JavaScript credential stealer on every Python interpreter startup, without the victim ever importing the compromised package. The bioinformatics tools dynamo-release, spateo-release, and coolbox account for most of the download volume. Hades-themed GitHub exfiltration markers replace the earlier Zelda-themed Miasma branding, but the underlying tradecraft is identical: Bun staging, AES-GCM encrypted payloads, multi-cloud credential sweep, and GitHub dead-drop exfiltration.
Socket is now tracking 448 affected artifacts across npm and PyPI: 411 npm artifacts across 106 packages from prior Miasma waves, plus the 37 new PyPI wheels. The campaign has operated continuously since June 1, 2026, pivoting delivery mechanisms every 48 to 72 hours. Zero CVEs exist for any artifact in the entire campaign.
TL;DR for Engineering Teams
| What it is | The Miasma worm campaign expanded from npm into GitHub repository poisoning (June 5) and PyPI (June 7). The Azure incident disabled 73 Microsoft repositories including the Azure Functions runtime, all language workers, and both deploy actions. The Hades PyPI wave compromised 19 packages via .pth startup hooks. Both deliver the same Shai-Hulud-lineage credential stealer. Zero CVE across all artifacts. |
| Where it bites | Developers who cloned any affected Microsoft repository after June 2 and opened it in Claude Code, Gemini CLI, Cursor, or VS Code. Any Python environment that installed a Hades-compromised wheel: the .pth hook fires on every python, pip, or pytest invocation. CI/CD pipelines referencing Azure/functions-action@v1. |
| Why it matters | The campaign has now crossed four delivery surfaces in seven days: npm preinstall hooks (June 1), npm binding.gyp native compilation (June 4), GitHub repository AI agent hooks (June 5), and PyPI .pth startup execution (June 7). Each pivot targets a detection blind spot that the previous wave’s disclosure created. 448 total artifacts tracked. |
| Patch status | Microsoft repositories remain disabled at time of writing. Malicious PyPI wheels quarantined. No clean successor versions confirmed for Hades packages. Pin lockfiles to pre-compromise versions. |
| Immediate action | If you cloned any affected Microsoft repo after June 2 and opened it in an AI coding tool or VS Code, treat that system as compromised. Rotate all credentials. For PyPI: search for affected packages. If any match, rotate GitHub tokens, PyPI tokens, AWS/GCP/Azure credentials, SSH keys, and Kubernetes secrets. |
Vulnerability Overview
| Campaign | MIASMA_AZURE_HADES_2026 |
| Malware Family | Miasma (Mini Shai-Hulud derivative; TeamPCP open-sourced tooling basis) |
| Vulnerability Type | Supply chain compromise; AI coding agent hijacking; credential theft; self-propagating worm |
| CWE | CWE-829 (Inclusion of Functionality from Untrusted Control Sphere); CWE-506 (Embedded Malicious Code) |
| CVSS | Not assigned |
| CVE | Not assigned |
| GHSA / OSV | Not assigned |
| Patch Available | No — repositories disabled; wheels quarantined; pin to prior versions |
| Active Exploitation | Confirmed |
| Attribution | Compromised contributor account (same as May 19 durabletask PyPI attack); windy629 GitHub account; TeamPCP infrastructure confirmed |
Technical Breakdown
Phase 1 — Azure Repository Injection (June 5)
The Malicious Commit
Commit 5f456b8 was pushed to the Azure/durabletask repository using the same contributor account that was compromised during the May 19 PyPI attack. The commit metadata tells the story before the payload does:
| Indicator | Value |
| Commit message | “Switched DataConverter to OrchestrationContext [skip ci]” |
| Files changed | 5 files added, 0 source code files modified |
| Commit timestamp | Backdated to 2020-03-09T15:59:47Z (six years before actual push) |
| CI suppression | [skip ci] flag present |
The commit message claims a code change, but no source code was modified. All five files are tool configuration files or the malicious payload.
Five Files, Four Attack Vectors
The commit planted files targeting four developer tools. Cloning the repository is safe. Opening it is the trigger.
1. .claude/settings.json — Claude Code SessionStart hook. Executes the payload automatically when a Claude Code session starts in this repository.
2. .gemini/settings.json — Gemini CLI SessionStart hook. Identical structure. Triggers on Gemini CLI session start.
3. .cursor/rules/setup.mdc — Cursor AI prompt injection. Instructs the Cursor AI agent to execute the payload by framing it as a project setup requirement. The alwaysApply: true flag ensures the rule is active regardless of which file the developer works on.
4. .vscode/tasks.json — VS Code auto-run task. The task runs automatically when a developer opens the folder with runOn: folderOpen. No AI agent involvement required.
5. .github/setup.js — The payload. A single-line, 4,643,745-byte obfuscated JavaScript file containing the credential harvester. All four configuration files point here.
The Delivery Shift
Supply chain defenses have historically focused on package install hooks: preinstall, postinstall, setup.py. The June 5 attack skips the package manager entirely. A .claude/settings.json SessionStart hook is functionally equivalent to a postinstall script for your editor. A .cursor/rules/setup.mdc file is a prompt injection that ships in the repository itself.
The campaign has moved from “execute on package install” to “execute on folder open.” Defenders tuned for registry-level threats had no detection surface for repository-level configuration file poisoning.
73 Repositories Disabled in 105 Seconds
GitHub’s automated abuse detection disabled 73 repositories across four Microsoft GitHub organizations. Block timestamps span 16:00:50 to 16:02:35 UTC on June 5, with two distinct waves separated by a 56-second gap.
| Wave | Time Window | Repositories |
| Wave 1 | 16:00:50 – 16:01:28 UTC | 39 repos in 38 seconds |
| Wave 2 | 16:02:24 – 16:02:35 UTC | 34 repos in 11 seconds |
| Organization | Repos Disabled | Notable Repositories |
| Azure | 49 | azure-functions-host, functions-action, all language workers, extension bundles, core-tools, docker |
| microsoft | 10 | Entire Durable Task family: durabletask-dotnet, -go, -java, -js, -mssql, -netherite, -protobuf |
| Azure-Samples | 13 | AI sample apps: rag-postgres-openai-python, llm-fine-tuning, multi-agent workflow |
| MicrosoftDocs | 1 | windows-driver-docs |
Global CI/CD Breakage
Azure/functions-action is the official GitHub Action for deploying Azure Functions. When GitHub disabled it, every workflow referencing Azure/functions-action@v1 stopped resolving. A Microsoft Learn Q&A thread documented 20+ developers reporting broken pipelines within hours.
Microsoft’s initial response described the incident as a “GitHub policy violation.” Twelve minutes later, that was revised to “internal management issue.” This is the mutable-tag problem at scale. @v1 floats to whatever GitHub serves for that tag. When the repository disappears, the tag evaporates. A pinned commit SHA fails loudly and predictably; a floating tag just stops existing.
Phase 2 — Hades PyPI Wave (June 7)
The .pth Startup Hook
Two days after the Azure injection, Socket detected 37 malicious wheel artifacts across 19 PyPI packages. The delivery mechanism moved again: from repository configuration files to Python .pth startup hooks.
Python’s site module processes .pth files during interpreter startup. Lines beginning with import followed by a space or tab are executed automatically. That gives attackers an execution primitive that fires on every python, pip, pytest, or notebook kernel invocation after the compromised wheel is installed, without the victim ever importing the package.
The .pth loader creates a sentinel at tempfile.gettempdir()/.bun_ran, locates _index.js adjacent to the package, downloads Bun v1.3.13 from GitHub if no cached binary exists, runs bun run _index.js, and writes the sentinel to avoid repeated execution. This is the PyPI equivalent of the npm install-hook problem.
Payload Analysis
| Layer | Function |
| Outer wrapper | try { eval(…) } with character-code array and ROT-style substitution |
| AES-GCM loader | Imports node:crypto, decrypts two AES-128-GCM blobs, writes main payload to /tmp/p*.js |
| Bun bootstrapper | Downloads Bun v1.3.13 from GitHub |
| Main payload | Rotated string table, PBKDF2/SHA256 decoder, AES-256-GCM + gzip string layer |
The recovered credential stealer targets the same classes seen across all prior Shai-Hulud and Miasma waves:
| Category | Targets |
| Source control | GitHub PATs, GitHub Actions runner secrets, runner memory, ghs_* tokens |
| Package registries | npm, PyPI, RubyGems, JFrog, CircleCI, Anthropic tokens |
| Cloud | AWS credentials + STS + SSM + Secrets Manager; GCP identity + projects + Secret Manager; Azure identity + Key Vault |
| Infrastructure | Kubernetes service-account tokens + cluster secrets; Vault tokens + secrets |
| Developer tooling | .env, .npmrc, .pypirc, Git credentials, shell histories, SSH keys, Docker configs, Claude/MCP configs |
Hades Exfiltration Markers
| Indicator | Value |
| Repository description | Hades – The End for the Damned |
| Commit marker | IfYouYankThisTokenItWillNukeTheComputerOfTheOwnerFully |
| Repo-name components | stygian, tartarean, cerberus, charon, styx, lethe, thanatos, persephone |
| Workflow name | Run Copilot |
| Artifact name | format-results |
| Path pattern | results/results-*.json |
Network Camouflage
The payload includes a direct HTTPS sender configured for api.anthropic.com/v1/api. Both GET and POST requests to this path return Anthropic’s standard 404 not_found_error, confirming /v1/api is not a live route. There is no indication Anthropic systems were compromised. The channel is network-log camouflage: traffic to a ubiquitous AI-vendor host blends in with legitimate developer traffic. GitHub repositories remain the confirmed exfiltration channel.
Affected Versions
Hades PyPI Wheels — June 7
| Package | Compromised Versions | Notes |
| bramin | 0.0.2, 0.0.3, 0.0.4 | Low traffic |
| cmd2func | 0.2.2, 0.2.3 | Function description utility |
| coolbox | 0.4.1, 0.4.2 | Jupyter genomic visualization (Hi-C/ChIP-Seq/RNA-Seq) |
| dynamo-release | 1.5.4 | Single-cell RNA-velocity framework; highest downloads |
| executor-engine | 0.3.4, 0.3.5 | Task execution utility |
| executor-http | 0.1.3, 0.1.4 | HTTP executor |
| funcdesc | 0.2.2, 0.2.3 | Function description library |
| magique | 0.6.8, 0.6.9 | Lab utility |
| magique-ai | 0.4.4, 0.4.5 | AI utility |
| mrbios | 0.1.1, 0.1.2 | Lab utility |
| napari-ufish | 0.0.2, 0.0.3 | Deep-learning FISH spot detection |
| nucbox | 0.1.2, 0.1.3 | Lab utility |
| okite | 0.0.7, 0.0.8 | Lab utility |
| pantheon-agents | 0.6.1, 0.6.2 | Agent framework |
| pantheon-toolsets | 0.5.5, 0.5.6 | Agent toolsets |
| spateo-release | 1.1.2 | Spatial transcriptomics (dynamo sibling) |
| synago | 0.1.1, 0.1.2 | Lab utility |
| ufish | 0.1.2, 0.1.3 | Deep-learning FISH spot detection |
| uprobe | 0.1.3, 0.1.4 | Lab utility |
All 37 wheels share the same *-setup.pth SHA256: c539766062555d47716f8432e73adbe3a0c0c954a0b6c4005017a668975e275c
Two _index.js variants: Variant 1 (4.8 MB, 17 packages): dc48b09b…cb4c0efe | Variant 2 (4.7 MB, 2 packages): e1342a80…c93a4b17d
Protect yourself with the latest threat intelligence, get access to PHOENIX BLUE Today
Exposure Analysis
| Environment | Risk Level | Reason |
| CI/CD pipelines using Azure Functions GitHub Actions | Critical | functions-action@v1 broken globally; pre-disable clones may have triggered payload |
| Developer workstations (AI coding tools) | Critical | Payload fires on folder open in Claude Code, Gemini CLI, Cursor, VS Code |
| Python research environments (bioinformatics) | High | dynamo-release, spateo-release used in single-cell genomics; .pth fires on every Python process |
| Cloud workloads running affected Python packages | High | Credential sweep reaches AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, K8s secrets |
| CI runners executing pip install for affected packages | High | .pth hook fires on subsequent Python invocations in the environment |
The bioinformatics targeting in the Hades wave is notable. dynamo-release and spateo-release are used in academic and pharmaceutical research environments that often run with elevated cloud permissions for data pipeline access. coolbox is a genomic visualization toolkit for Hi-C, ChIP-Seq, and RNA-Seq data. Research environments with broad IAM permissions and limited security tooling are high-value targets for credential harvesting.
Campaign Timeline
| Date | Event |
| May 19, 2026 | durabletask 1.4.1–1.4.3 pushed to PyPI (35-minute window). rope.pyz credential stealer. Contributor account compromised. |
| June 1, 2026 | Miasma Wave 1: 32 @redhat-cloud-services npm packages. preinstall delivery. 116,991 weekly downloads. |
| June 4, 2026 | Miasma Wave 2: 57 npm packages. binding.gyp delivery. 647,204 monthly downloads. |
| June 5, 2026 | Azure repository injection: commit 5f456b8 to Azure/durabletask. AI coding agent hooks planted. |
| June 5, 16:00 UTC | GitHub disables 73 Microsoft repositories in 105-second automated sweep. |
| June 5, ~19:00 UTC | Microsoft Learn Q&A thread opened. 20+ developers report broken CI/CD pipelines. |
| June 7, 2026 | Hades PyPI wave: 37 malicious wheels across 19 packages. .pth startup hook delivery. |
| Cumulative | Socket tracking 448 affected artifacts across npm (411) and PyPI (37). |
Each delivery pivot targets the detection blind spot created by the previous wave’s disclosure. preinstall disclosed, defenders tuned for scripts field. binding.gyp bypasses scripts monitoring. Repository config injection bypasses the package registry entirely. .pth startup hooks bypass Python import-time scanning. 72-hour iteration cycles.
Real-World Impact
73 Microsoft repositories disabled across Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations. 37 PyPI wheels published. 448 total campaign artifacts tracked by Socket. Azure Functions deploy action broken globally.
Every GitHub workflow referencing Azure/functions-action@v1 or Azure/functions-container-action failed immediately when the repositories were disabled. Microsoft’s recommended workaround (Azure CLI, Azure DevOps Pipelines, Zip Deploy) required pipeline rewrites for affected organizations.
The bioinformatics packages dynamo-release, spateo-release, coolbox, and ufish/napari-ufish serve computational biology research communities. The .pth hook fires on every Python invocation in the environment, including automated data processing jobs.
Detection Guidance
Log and Network Indicators
Azure repository injection:
- Network connections to check.git-service[.]com or t.m-kosche[.]com
- Process creation: node .github/setup.js launched from AI coding tool or VS Code task runner
- Filesystem: .claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, or .vscode/tasks.json with folderOpen triggers in cloned repositories
Hades PyPI wave:
- Process chain: python spawning download of Bun binary from github.com/oven-sh/bun/releases/download/bun-v1.3.13/
- Filesystem: /tmp/.bun_ran, /tmp/b.zip, /tmp/b/bun, _index.js inside site-packages, *-setup.pth files
- Network: outbound HTTPS to api.anthropic.com/v1/api (camouflage channel)
- GitHub: repositories described “Hades – The End for the Damned”; commits containing IfYouYankThisTokenItWillNukeTheComputerOfTheOwnerFully
- Persistence: gh-token-monitor service, ~/.config/gh-token-monitor/, LaunchAgent com.github.token-monitor.plist
Verification Steps for Teams
- Azure repository exposure: Check if any team member cloned a repository from the Azure, microsoft, Azure-Samples, or MicrosoftDocs organizations after June 2. Search local filesystems for .claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, and .vscode/tasks.json containing references to .github/setup.js.
- PyPI exposure: Search all Python environments, lockfiles, and requirements files for any of the 19 Hades packages. Check site-packages directories for *-setup.pth files and _index.js artifacts.
- CI/CD pipeline audit: Check all GitHub Actions workflows for references to Azure/functions-action@v1 or Azure/functions-container-action. Switch to commit SHA pinning.
- SBOM review: Run dependency scans against all repositories to identify transitive exposure to affected packages.
Remediation Guidance
Immediate Actions
- If you opened an affected Microsoft repository in an AI coding tool or VS Code after June 2: Treat the system as compromised. Rotate all credentials accessible from that system: GitHub tokens, npm tokens, AWS keys, Azure service principals, GCP service accounts, SSH keys, Kubernetes secrets, Docker configs.
- If any Hades PyPI package was installed: Uninstall immediately. Remove *-setup.pth and _index.js from site-packages. Rebuild the Python environment from a clean base. Rotate all credentials.
- If CI/CD pipelines reference Azure/functions-action@v1: Switch to Azure CLI, Azure DevOps Pipelines, or Zip Deploy. When the action is restored, pin to a specific commit SHA.
- Audit your repositories for unexpected commits containing .claude/, .gemini/, .cursor/, .vscode/tasks.json, or .github/setup.js files.
- Audit npm/PyPI packages you maintain for unauthorized version publishes.
Temporary Mitigations
- Repository cloning: Inspect cloned repositories for .claude/, .gemini/, .cursor/, and .vscode/tasks.json files before opening in any editor.
- Python environments: Audit all .pth files in site-packages. Alert on: executable .pth plus network retrieval plus subprocess execution plus staged JavaScript payload.
- GitHub Actions: Pin all actions to full commit SHAs using tools like StepSecurity Secure Repo. Floating tags (@v1, @latest) create single points of failure.
- Branch protection: Require PR reviews for all commits. Direct pushes to main should not be permitted.
- PyPI publishing: Use Trusted Publishing (OIDC) instead of long-lived API tokens. Restrict outbound network access from CI/CD runners.
Phoenix Security Recommendations
The Miasma campaign’s four-ecosystem, seven-day pivot cycle is invisible to CVE-dependent tooling. Zero CVEs exist for any of the 448 tracked artifacts. Teams relying on vulnerability database lookups had no signal during the active exposure windows.
Phoenix Security’s malware intelligence platform at phxintel.security/malware.html detected Miasma artifacts through behavioral signal analysis within minutes of publication. The platform’s detection approach analyzes execution triggers broadly rather than matching specific package.json fields or registry metadata, providing coverage across the npm preinstall, binding.gyp, repository config, and .pth delivery mechanisms.
Contextual deduplication correlates findings from the Azure repository injection and Hades PyPI wave into a single campaign view, linking them to the earlier Miasma Wave 1 (@redhat-cloud-services) and Wave 2 (binding.gyp) events. Without that correlation, organizations see four separate incidents rather than one evolving campaign.
Reachability analysis identifies which build environments actually executed an affected package’s install hook or .pth startup code versus environments that installed from a pre-compromise cache or never triggered the execution path. When scoping credential rotation across hundreds of CI runners and developer workstations, that distinction determines whether you rotate credentials for 300 systems or the 30 that actually ran the payload.
Remediation campaigns track the multi-step response across engineering teams: lockfile updates per repository, credential rotation completion per environment, persistence artifact cleanup per developer machine, repository configuration audit results, and container image rebuilds per registry.
Attack surface management surfaces which pipelines and build environments pull from affected namespaces, which developer workstations have cloned affected repositories, and which cloud environments are reachable from compromised systems.
Campaign config, IOC scanner, and CISO brief for MIASMA_AZURE_HADES_2026 are available at phxintel.security/package.html
Protect yourself with the latest threat intelligence, get access to PHOENIX BLUE Today
External References
- StepSecurity — Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents (Ashish Kurmi, June 5, 2026)
- OpenSource Malware — The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds (6mile, June 6, 2026) — https://opensourcemalware.com/blog/miasma-reaches-azure
- Socket Security — Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave (Socket Research Team, June 7, 2026)
- Phoenix Security — Miasma Wave 2: npm Supply Chain Worm Drops binding.gyp Execution (June 4, 2026)
- Phoenix Security — MIASMA_WAVE1_REDHAT_2026 campaign analysis — phoenix.security/miasma-redhat-cloud-services-npm-supply-chain-wave1-2026
- Phoenix Security — Mini Shai-Hulud / TeamPCP: TanStack and Mistral Campaign (May 2026)
- Phoenix Security — Sha1-Hulud full reverse engineering and persistence IOCs — phoenix.security/sha1-hulud-shai-hulud-worm-analysis-persistence-iocs/
- Wiz Research — durabletask PyPI compromise analysis (May 19, 2026)
- Endor Labs — durabletask PyPI compromise analysis (May 19, 2026)
- Socket Security — Miasma campaign tracking page — socket.dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attack
- Phoenix Security Malware Intelligence Platform — phxintel.security/malware.html
- Phoenix Security Campaign IOC Tracker — phxintel.security/package.html
