InfoSecBulletin Cybersecurity for mankind
GitHub disabled 73 repositories in four Microsoft groups: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. Each repo now shows GitHub’s “This repository has been disabled. Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service” banner.
The size and timing suggest that abuse detection is done automatically, not by individuals taking items down one by one. This affects main Azure Functions operations and the supply-chain systems used in many CI pipelines.
Security Update: RoguePlanet, BitLocker Bypass, Chromium Zero-Day, and More Critical Threats Uncovered
73 Microsoft Packages Compromised in Password Stealer Attack
New Windows Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
Microsoft June Patches 200 Vulnerabilities including 3 zero days
World’s first wind power underwater data center is now live
VMware Fixed Multiple Flaws Allow Attackers to Inject Malicious Scripts
CVE-2026-50751
Check Point VPN 0-day Flaw Exploited in the Wild
AI-designed First ‘universal vaccine’ tested in humans
China Unveils First Prefabricated Data Center Base, Reducing Construction Time by 70%
Hacker now exploits recently patched SolarWinds Serv-U flaw
The biggest flaws happened in the Azure group: 49 repositories stopped working, including azure-functions-host, azure-webjobs-sdk and extensions, language workers (Node.js, Python, Java, PowerShell, .NET, Go), azure-functions-core-tools, container tools, the Homebrew tap, and the functions-action and functions-container-action GitHub Actions.
Losing functions-action is very disruptive because many workflows use it through a tag like Azure/functions-action@v1. When it goes away, those pipelines stop working and global CI fails until users switch to fixed commit SHAs or other deployment methods.
73 Microsoft Packages Weaponized
The repeated use of the same repo group in another takedown shows that the first leak of credentials was never completely fixed.
Azure-Samples removed 13 repositories that were for AI and agent demos, fine-tuning examples, and connectors. Several Microsoft repositories for documents and tools were also turned off, showing that rules were applied to whole organizations instead of just one team.
The full list of affected repositories is available in public reports and community compilations shared by security researchers and Microsoft Learn discussion threads.
Why this matters: beyond convenience, this appears tied to a supply-chain weaponization wave. In late May, TeamPCP’s Mini Shai-Hulud toolkit was forked into public variants (notably “Miasma”) that added Azure and GCP credential collectors.
Miasma was seen affecting npm and other packages and stealing passwords to put them in attacker-made public repositories. The worm-like action of creating repos and saving stolen secrets is exactly what makes GitHub’s automatic abuse systems react, leading to the 105-second mass shutdown.
While we can’t say for sure that the Miasma activity on June 1 caused the takedown on June 5, the similar tactics and the Azure collectors being involved make it likely.
Immediate mitigations for teams: stop using changeable action tags and fix Azure actions to specific commit SHAs; change credentials and tokens that a thief might target (Azure CLI tokens, managed-identity tokens, GitHub Actions OIDC tokens, and package registry publish keys).
Check organizations for any public repositories or JSON files that have secrets. Look at builds for signs of Miasma, like preinstall scripts that call Bun using a hidden _index.js loader. Also, use different ways to deploy, such as Azure CLI, Azure DevOps, or Zip Deploy, until the affected actions are fixed.
This event highlights an important fact about cloud development: CI/CD and package registries are key targets for attacks.
Even well-off organizations can be tripped up by stolen automation passwords, and automated actions can cause major unwanted damage.
Security teams should think of action credentials as very important secrets. They need to secure workflow publish paths and use unchangeable references to lower risk in future supply-chain problems.
