GoKawiilMicrosoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub, disrupting continuous integration pipelines.
The incident occurred on June 5, and it was contained within just 105 seconds. The company told BleepingComputer that the repositories were removed due to concerns that they distributed "potential malicious content."
Multiple researchers confirmed that the repos were pulled after a compromise during a Miasma/Shai-Hulud supply-chain campaign.
The OpenSourceMalware platform notes that the 'durabletask' - a repository in Microsoft's Azure organization on GitHub, was compromised in May, indicating that an incomplete cleanup allowed the threat actor to return with a new compromise. However, this has not been confirmed.
Immediately after removing the repositories, a message was displayed explaining that the action was taken by the GitHub Staff "due to a violation of GitHub's terms of service."
A Microsoft representative responded to user concerns in a community discussion, stating that the repositories were disabled because of “an internal management issue” and that an investigation was underway.
The most significant immediate effect of this incident was disabling access to ‘Azure/functions-action,’ a GitHub Action used by many developers to deploy Azure Functions.
Workflows referencing it stopped working because there was nothing in the specified repository to resolve the action, causing an outage and confusion.
At the time of writing, though, all repositories have been restored and are considered clean and safe to use.
However, the OpenSourceMalware platform notes that the ‘durabletask’package on the Python Package Index (PyPI), had been compromised in May when the threat actor pushed three malicious versions (1.4.1, 1.4.2, 1.4.3).
... continue reading