Microsoft hit again by credential-stealing malware in software packages

▼ Summary
– 73 cryptographically verified Microsoft open source packages were compromised with credential-stealing code that activates when opened in AI coding agents.
– GitHub disabled the packages citing a terms of service violation, not acknowledging their malicious nature, and only later did Microsoft raise the possibility of infection.
– The attack is the second supply-chain breach of a Microsoft repository account in two months, following the May compromise of the durabletask Python SDK on PyPI.
– The malware, tracked as Miasma, steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tools, then spreads laterally through cloud infrastructures.
– The compromise used a stolen Microsoft OIDC token to bypass repository build pipelines, a technique also employed in a separate attack on Red Hat packages.
Late last week, a wave of compromised open source packages originating from Microsoft surfaced on GitHub, each laced with sophisticated credential-stealing malware. The malicious code was designed to execute the moment developers opened the packages within AI coding agents, marking a serious escalation in supply-chain threats.
Security researchers identified a total of 73 packages flagged as malicious after GitHub’s automated systems blocked them. Rather than issuing a clear warning that these packages were compromised,and that any developer who interacted with them via AI tools should treat their systems as breached,GitHub’s notice simply stated the packages had been disabled “due to a violation of GitHub’s terms of service.” The message then directed the package owner to contact the platform for resolution.
Microsoft did not acknowledge the possibility of infection until Monday, when a company spokesperson said in an email: “We have temporarily removed some repositories as we investigate potential malicious content.” For developers, the prudent course is to assume compromise and proceed accordingly.
This marks the second supply-chain attack in two months to breach an official Microsoft repository account. In mid-May, security firm StepSecurity revealed that the Microsoft durabletask Python SDK had been compromised on PyPI. That package, which handles fault-tolerant workflows and distributed orchestrations, sees roughly 400,000 monthly downloads. The attackers, tracked as TeamPCP, injected a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. The malware then spreads laterally through cloud infrastructure to infect additional machines. The breach was achieved by compromising Microsoft’s credentials for publishing the package, allowing the attackers to bypass the repository’s build pipeline entirely.
The malware used in the latest attack is known as Miasma, a clone of TeamPCP’s open-source Mini Shai-Hulud toolkit. According to security firm Cloudsmith, Miasma is engineered to harvest OIDC (OpenID-Connect) token credentials, which are critical in SLSA (Supply-chain Levels for Software Artifacts) provenance attestation,a cryptographic method for verifying software integrity.
As in the May incident, last week’s attack leveraged this functionality to steal a legitimate Microsoft OIDC token. The same technique was also deployed in a separate supply-chain attack that poisoned dozens of Red Hat packages. The recurring pattern underscores a growing vulnerability in the software supply chain, where even trusted, cryptographically signed packages can be weaponized against unsuspecting developers.
(Source: Ars Technica)


