Microsoft pulls 70+ GitHub repos after malware breach

On Friday, 5th June 2026, GitHub disabled 73 Microsoft repositories in about 105 seconds after its alarms tripped. The trigger was a malicious commit pushed to Azure/durabletask from a compromised contributor account. 

The malware targeted tools developers use with AI coding assistants: Claude Code, Gemini CLI, and VS Code. Open the code in one of those apps, and it could quietly harvest passwords and other credentials. Security firms Cloudsmith and OpenSourceMalware were first to flag it. 

The immediate fallout was messy. The repo Azure/functions-action — used to deploy code to Azure — was taken down, and every workflow referencing it broke. If you visited the pages, you just saw:

“Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service”. 

Microsoft confirmed the takedown on June 8. Spokesperson Ben Hope told TechCrunch the company “temporarily removed some repositories as we investigated potential malicious content,” adding “some have been restored after review, while others may remain offline while work continues”.

They’ve notified a small number of customers who may have pulled the code, but haven’t shared a download count yet. 

How big is this, and why you should care ?

This isn’t a one-off. In mid-May, the same Durable Task project was hit on PyPI. On May 19, attackers uploaded three malicious versions in a 35-minute window that planted infostealers hunting for cloud secrets. 

Researchers call the latest incident a “re-compromise.” There is a possibility that Microsoft didn’t fully rotate the tokens from the May breach, so attackers walked back in with the same keys. The malware family is being tracked as Miasma, a descendant of the worm that recently hit npm packages. 

That’s why it matters. This is a classic supply chain attack: poison code that thousands of developers trust, then ride their access into cloud environments. Solo maintainers get hit all the time, but for Microsoft to get breached twice in three weeks is rare — and a reminder that even big tech can miss a cleanup step.

If you’ve pulled anything from Microsoft’s Azure repos in the last month, especially around functions-action or durabletask, check your GitHub notifications and rotate any tokens you used in AI coding tools.