Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding agents.
In all, multiple researchers said, 73 packages were flagged as malicious when automated systems on GitHub blocked them on the platform. Rather than noting they are malicious—and that developers who used AI agents to work with them should assume their systems are compromised—the Microsoft-owned GitHub said it disabled the packages “due to a violation of GitHub’s terms of service.” The text went on to encourage the package owner to contact GitHub.
Devs: Assume compromise and proceed accordingly #
It wasn’t until Monday that Microsoft even raised the possibility the packages were infected. In an email, the company stated: “We have temporarily removed some repositories as we investigate potential malicious content.”
The incident is the second supply-chain attack in as many months to breach an official Microsoft repository account. In mid May, the firm StepSecurity documented the compromise of Microsoft’s durabletask Python SDK on PyPI. The package is a framework for building fault-tolerant workflows and orchestrations to automate distributed transactions and other workflows. It receives 400,000 downloads per month.
The compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. The attack, which has been linked to a threat actor tracked as TeamPCP, poisoned the durabletask package after compromising Microsoft credentials for publishing the package. The technique allows attackers to bypass the repository’s build pipeline entirely.
The malware used in the attack is tracked as Miasma. It’s essentially a clone of TeamPCP’s Mini Shai-Hulud toolkit, which the threat actor open-sourced recently. Security firm Cloudsmith said the malware harvests OIDC (OpenID-Connect) token credentials that are used in SLSA (Supply-chain Levels for Software Artifacts) provenance attestation, a method for providing cryptographically signed guarantees of a software’s integrity.
As was the case in the May compromise of Microsoft’s durabletask, the one last week made use of the functionality to steal a legitimate Microsoft OIDC token. It was also used in a separate supply-chain attack poisoning dozens of Red Hat packages.