GitHub disabled 73 repositories across four Microsoft organizations Azure, Azure-Samples, microsoft, and MicrosoftDocs inside a 105-second window.
Each repo now shows GitHub’s “This repository has been disabled. Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service” banner.
The scale and timing point to automated abuse detection, not individual manual removals, and the impact reaches from core Azure Functions runtimes to supply-chain plumbing used in millions of CI pipelines.
The most consequential hits landed in the Azure org: 49 repos went dark, including azure-functions-host, azure-webjobs-sdk and extensions, language workers (Node.js, Python, Java, PowerShell, .NET, Go), azure-functions-core-tools, container tooling, the Homebrew tap, and the functions-action and functions-container-action GitHub Actions.
Losing functions-action is particularly disruptive because it’s a referenced action that many workflows call via a floating tag such as Azure/functions-action@v1.
When the source disappears, those pipelines stop resolving and global CI breaks until users switch to pinned commit SHAs or alternate deployment methods.
Opensource malware said in a report shared with GBhackers, the microsoft org lost the Durable Task family durabletask-dotnet, durabletask-go, durabletask-java, durabletask-js and associated implementations and the entire Durable Functions ecosystem.
That cluster is especially notable because durabletask was previously compromised on PyPI on May 19, when malicious versions 1.4.1–1.4.3 were published and later attributed to stolen GitHub Actions secrets and the TeamPCP actor.
73 Microsoft Packages Weaponized
The recurrence the same repo family at the center of a fresh takedown strongly suggests the initial credential exposure was never fully eradicated.
Azure-Samples lost 13 repos focused on AI and agent demos, fine-tuning samples, and connectors. A few other Microsoft repos across docs and platform tooling were also disabled, indicating enforcement was applied at org-ownership boundaries rather than surgically to a single team.
The complete list of affected repositories is available in public reporting and community compilations linked by several security researchers and Microsoft Learn discussion threads.
Why this matters: beyond convenience, this appears tied to a supply-chain weaponization wave. In late May, TeamPCP’s Mini Shai-Hulud toolkit was forked into public variants (notably “Miasma”) that added Azure and GCP credential collectors.
Miasma was observed infecting npm and other packages and exfiltrating credentials into attacker-created public repos. The worm-style behavior creating repos and committing harvested secrets is precisely the kind of mass activity that triggers GitHub’s automated abuse systems and matches the 105-second mass disable.
While definitive attribution between June 1 Miasma activity and the June 5 takedown is circumstantial, the overlap in tactics and the presence of Azure collectors make the connection plausible.
Immediate mitigations for teams: stop using mutable action tags and pin Azure actions to commit SHAs; rotate credentials and tokens that a credential-stealer would target (Azure CLI tokens, managed-identity tokens, GitHub Actions OIDC tokens, and package registry publish keys).
Inspect orgs for unexpected public repos or JSON blobs of secrets; search builds for Miasma indicators such as preinstall scripts invoking Bun against an obfuscated _index.js loader; and use alternative deployment methods (Azure CLI, Azure DevOps, Zip Deploy) until the affected actions are restored.
This incident underlines a hard truth for cloud-native development: CI/CD and package registries are high-value attack surfaces.
Even well-resourced organizations can be tripped by stolen automation credentials, and automated enforcement can cause wide collateral damage.
Security teams should treat action credentials as tier-one secrets, lock down workflow publish paths, and adopt immutable references to reduce blast radius in future supply-chain incidents.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
