Miasma Worm Compromises 73 Microsoft GitHub Repos
A self-replicating worm, Miasma (a variant of the previously observed Mini Shai-Hulud worm), has recently compromised 73 Microsoft GitHub repositories across four of its organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. This incident escalates ongoing supply chain attacks by exploiting trusted mechanisms within open-source ecosystems to spread malicious code. GitHub has disabled access to the affected repositories as security researchers track the worm's changing tactics.
The Miasma worm operates by stealing developer credentials and secrets, then using them to push malicious code to new packages and repositories, creating a persistent, self-propagating infection. This strategy allows the malware to bypass conventional defenses that rely on signature-based detection or trust in authenticated publishers. The attack demonstrates a significant vulnerability in the trust models supporting modern software development and delivery.
The compromise of Microsoft's infrastructure shows how broad and adaptable this threat is, as the worm has demonstrated an ability to mutate and change its propagation tactics. The focus on developer tools and supply chains signals a targeted approach aimed at widespread impact by exploiting a single point of entry within the development pipeline. The ongoing nature of this campaign requires immediate, coordinated defensive measures across the software development community.
How is the Miasma Worm Propagating in Microsoft's GitHub?
The Miasma worm propagates by exploiting established trust relationships within software supply chains, notably within npm and PyPI registries and directly on GitHub repositories. Security researchers from OpenSourceMalware reported the compromise of 73 Microsoft GitHub repositories, affecting important projects such as Azure/azure-functions-host and various Durable Task ecosystem components. The worm's success lies in compromising legitimate developer credentials and then using those to perform actions indistinguishable from routine updates by authorized maintainers.
The attack specifically targets developer environments by embedding malicious code in widely used packages and projects. When a developer clones an infected repository and opens it in an AI coding agent or executes standard development scripts, the payload detonates. This method avoids traditional vulnerability exploitation in platforms like GitHub or npm, instead focusing on the implicit trust associated with a package published by an authenticated maintainer.
The initial compromise often involves stealing developer credentials and secrets. Subsequently, the worm pushes malicious updates to existing packages or creates new public repositories, often disguised with names such as "Miasma: The Spreading Blight" or "Hades - The End for the Damned." These repositories then serve as further infection vectors, demonstrating the worm's ability to spread rapidly across the open-source ecosystem. This self-replicating characteristic distinguishes Miasma from many other forms of malware, enabling it to rapidly expand its footprint.
The Miasma campaign has evolved to skip the npm registry entirely in some instances. Threat actors have been observed directly pushing malicious code to source repositories like icflorescu/mantine-datatable and its related projects. The embedded payload runner is a 4.3 MB staged Bun loader, configured for automatic execution through popular developer tools. These tools include Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script, showing a broad targeting of developer workflows. This approach transforms the GitHub source repository itself into a vector for persistence, rather than solely relying on registry poisoning.
How are Adaptive AI Worms Predicted to Impact Enterprises?
Adaptive, agentic AI worms are predicted to emerge as the next significant enterprise cyber threat within the next six months to a year, according to researchers from BeyondTrust. These advanced AI worms, metaphorically described as "viruses with wings and brains," are designed to be autonomous agents capable of rapidly self-propagating across diverse environments. Their primary mechanisms involve searching for zero-day vulnerabilities, exploiting known but unpatched software flaws, and discovering unprotected secrets in real-time.
Researchers at the University of Toronto, the Canadian AI incubator Vector Institute, enterprise-software firm ServiceNow, and the University of Cambridge have developed a proof-of-concept (PoC) agentic AI worm to study this impending threat. This PoC can adapt to new environments, identify vulnerabilities, and generate custom exploitation programs on the fly. Unlike traditional worms that target specific, fixed vulnerabilities, these adaptive worms use a recursive reasoning loop to detect and exploit diverse weaknesses as they propagate, making them extremely difficult to stop through conventional patching methods alone. For more insight into how AI influences new exploit development, refer to our analysis on AI accelerates exploit development.
The implications for enterprise security are substantial. Kinnaird McQuade, chief security architect at BeyondTrust, warned that such an attack would likely target developers and engineers who often possess broad access across various cloud environments, allowing the worm to pivot extensively. The potential for many companies to not recover from such an event shows how severe such an event could be. The challenge is compounded by the vast amount of software in use, creating an insurmountable patching issue even with advanced vulnerability-finding technologies.
The development of these AI agents marks an evolutionary step in malware capabilities, moving beyond attackers simply using large language models (LLMs) for coding assistance or obfuscation during execution. The real-world PoC agents demonstrate a shift towards dynamic, goal-directed reasoning that can adapt to the unique vulnerabilities of each target system in real-time. This level of autonomy, driven by small, free AI models, enables the agents to use a system's own resources against itself to identify weaknesses and spread. Our research on Agentic AI Threats provides further context on this emerging danger.
The historical precedent of academic research catalyzing malicious development, such as the SQL Slammer worm appearing five months after a paper on "flash worms," adds urgency to these predictions. While technical hurdles exist, such as the increased detectability of resource-intensive AI models on typical systems, the barrier to creating AI-powered worms is low. Defenses will need to emphasize hardening, enhanced visibility, strict least privilege principles, and aggressive auto-remediation actions to combat this changing threat environment. The foundational principles of zero-trust architectures and network micro-segmentation remain crucial for limiting lateral movement and propagation. Learn more about the broader security risks posed by Autonomous AI Agents in our dedicated blog post.
What New Vulnerabilities Did AI Agents Uncover in FFmpeg and Chrome?
An autonomous AI agent developed by security startup depthfirst recently discovered 21 previously unknown zero-day vulnerabilities in FFmpeg, the ubiquitous open-source multimedia framework. These bugs, primarily heap or stack overflows in parsers and demuxers, spanned components from the TS demuxer to the VP9 decoder, with some having been latent for as long as 23 years. The company identified nine specific CVEs, CVE-2026-39210 through CVE-2026-39218, noting that the remaining issues are fixed but awaiting identifiers. A proof-of-concept (PoC) for these vulnerabilities has also been publicly released.
At the same time, Google released Chrome 149, addressing a record 429 security bugs in a single update. Over 100 of these vulnerabilities were classified as critical or high severity, predominantly use-after-free errors and insufficient input validation issues. The most severe flaw, CVE-2026-10881 (CVSS: 9.6), is an out-of-bounds read and write bug in the ANGLE graphics engine. This vulnerability could allow a crafted web page to escape the browser's sandbox and execute arbitrary code on the host system. Google awarded $97,000 for its discovery.
While the majority of high-severity bugs in Chrome 149 were discovered internally by Google, the sheer volume of fixes points to an accelerating pace of vulnerability disclosure, partly influenced by AI. Google's recent bounty program overhaul, prompted by a flood of AI-generated submissions, reflects the increasing role of automated tools in uncovering vulnerabilities. Previous AI efforts, such as Google's Big Sleep agent and Anthropic's Mythos model, have also successfully identified numerous flaws in FFmpeg, including a 16-year-old H.264 flaw.
The efficiency of AI in vulnerability discovery is also demonstrated by the recent finding of a two-year-old authenticated Remote Code Execution (RCE) flaw in Redis by another autonomous AI tool. A February study also demonstrated AI agents reproducing working PoCs for more than half of 100 real Linux kernel N-day bugs, surpassing the efficacy of traditional fuzzing techniques. This increasing pace of discovery necessitates shorter patch cycles, widespread auto-updates, and the prioritization of dependency bumps containing CVE fixes as critical security work.
Which Threat Actors Are Exploiting the PAN-OS GlobalProtect Vulnerability?
Unspecified threat actors are actively exploiting CVE-2026-0257 (CVSS: 7.8), an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect portal and gateway components. Palo Alto Networks confirmed active exploitation of this flaw on May 29, 2026, leading to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog. The vulnerability allows attackers to bypass security restrictions and establish unauthorized VPN connections, granting access to internal networks.
The exploitation primarily impacts systems where GlobalProtect is enabled with authentication override cookies configured alongside specific certificate settings. In such configurations, threat actors can circumvent authentication controls and initiate VPN sessions without valid credentials. Rapid7 observed two distinct exploitation waves, both assessed as likely originating from a single threat actor due to consistent device identifiers. The first wave, on May 17, involved suspicious cookie authentication to local admin accounts, while the second, on May 21, resulted in VPN IP address assignments and subsequent internal network access.
Panorama and Cloud Next-Generation Firewall (Cloud NGFW) deployments are not affected by this issue. However, numerous versions of PAN-OS across branches 12.1, 11.2, 11.1, and 10.2 are vulnerable, alongside specific Prisma Access versions. CISA has mandated that federal agencies remediate this vulnerability by June 1, 2026, because of the threat's serious nature.
A publicly available Proof-of-Concept (PoC) script for CVE-2026-0257 has been developed by Rapid7 Labs. This script assists security teams in validating their exposure by simulating the authentication bypass under controlled conditions. Organizations using affected PAN-OS or Prisma Access deployments are advised to apply vendor-provided security patches immediately. As temporary mitigations, Palo Alto Networks recommends disabling the authentication override feature or generating a new certificate used exclusively for authentication override.
| Product/Component | Affected Versions | Unaffected Versions |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | < 12.1.4-h6, < 12.1.7 | >= 12.1.4-h6, >= 12.1.7 |
| PAN-OS 11.2 | < 11.2.4-h17, < 11.2.7-h14, < 11.2.10-h7, < 11.2.12 | >= 11.2.4-h17, >= 11.2.7-h14, >= 11.2.10-h7, >= 11.2.12 |
| PAN-OS 11.1 | < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15 | >= 11.1.4-h33, >= 11.1.6-h32, >= 11.1.7-h6, >= 11.1.10-h25, >= 11.1.13-h5, >= 11.1.15 |
| PAN-OS 10.2 | < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6 | >= 10.2.7-h34, >= 10.2.10-h36, >= 10.2.13-h21, >= 10.2.16-h7, >= 10.2.18-h6 |
| Prisma Access 11.2.0 | < 11.2.7-h13* | >= 11.2.7-h13* |
| Prisma Access 10.2.0 | < 10.2.10-h36* | >= 10.2.10-h36* |
Are US Gas Station Tank Gauge Systems Under Active Attack?
Yes, over 900 automatic tank gauge (ATG) systems across the United States are exposed online and are subject to ongoing attacks, according to a joint advisory from CISA, the FBI, the NSA, and the Department of Energy. These systems, important for monitoring fuel and chemical storage tanks, are found in various critical infrastructure sectors, including gas stations and industrial facilities. Shadowserver reported 909 exposed ATG devices in the United States alone out of over 1,000 globally.
Threat actors are targeting these internet-exposed ATG systems to alter system settings through command execution attacks. The attacks use various security flaws, including hardcoded credentials, authentication bypasses, SQL injection vulnerabilities, OS command execution flaws, and privilege escalation weaknesses. While the U.S. government has not yet attributed the recent malicious cyber activity to a specific nation-state or threat actor group, CNN previously reported that Iranian hackers had breached similar systems, manipulating display readings at multiple gas stations.
Successful compromises enable attackers to disable system alerts, which could increase the risk of leaks or equipment failures and potentially cause permanent damage to the targeted tank systems. Although previous incidents primarily involved manipulating display readings rather than altering actual fuel levels, the potential for hindering automated fuel leak detection and other safety functions is a significant concern. The targeting of industrial control systems by Iranian state-backed hackers has also been noted in other advisories, impacting devices like Rockwell Automation/Allen-Bradley PLCs.
Critical infrastructure organizations are advised to take immediate action to secure these systems. Key recommendations include restricting remote access to ATG systems from the internet, implementing controlled access through firewalls, VPNs, access control lists, and segmenting networks. Organizations should also replace default passwords with strong, unique credentials, apply all available security updates, monitor systems for unauthorized changes, and deploy multi-factor authentication where feasible.
Technical Takeaways
- The Miasma worm compromises software supply chains by stealing developer credentials and pushing malicious code to 73 Microsoft GitHub repositories, showing how it evades trust models.
- AI agents are accelerating vulnerability discovery, with depthfirst finding 21 zero-days in FFmpeg and Chrome 149 patching a record 429 bugs, including a severe sandbox escape (CVE-2026-10881).
- The widespread adoption of AI in both offensive and defensive cybersecurity requires a quick shift towards shorter patch cycles, automated updates, and treating dependency updates with CVE fixes as high-priority security tasks.
- Active exploitation of Palo Alto Networks PAN-OS GlobalProtect vulnerability CVE-2026-0257 allows authentication bypass and unauthorized VPN access, showing the importance of immediate patching and strict access controls for network perimeter devices.
- Over 900 US-based Automatic Tank Gauge (ATG) systems remain exposed and under ongoing attack, showing critical infrastructure is vulnerable to simple exploitation methods like weak credentials and inadequate network segmentation, which risks physical system integrity.
