{"slug": "for-the-2nd-time-in-weeks-microsoft-packages-laced-with-credential-stealer", "title": "For the 2nd time in weeks, Microsoft packages laced with credential stealer", "summary": "Microsoft confirmed that 73 of its cryptographically verified open source packages were compromised last week, embedding credential-stealing malware that activated when developers opened them in AI coding agents. The attack, the second supply-chain breach of a Microsoft repository in two months, deployed a 28 KB payload capable of stealing credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer tools. GitHub disabled the packages citing a terms of service violation, while Microsoft only acknowledged potential malicious content on Monday, leaving developers to assume their systems are compromised.", "body_md": "Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding agents.\n\nIn all, [multiple](https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents) researchers [said](https://opensourcemalware.com/blog/miasma-reaches-azure), 73 packages were flagged as malicious when automated systems on GitHub blocked them on the platform. Rather than noting they are malicious—and that developers who used AI agents to work with them should assume their systems are compromised—the Microsoft-owned GitHub said it disabled the packages “due to a violation of GitHub’s terms of service.” The text went on to encourage the package owner to contact GitHub.\n\n## Devs: Assume compromise and proceed accordingly\n\nIt wasn’t until Monday that Microsoft even raised the possibility the packages were infected. In an email, the company stated: “We have temporarily removed some repositories as we investigate potential malicious content.”\n\nThe incident is the second supply-chain attack in as many months to breach an official Microsoft repository account. In mid May, the firm StepSecurity [documented](https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack) the compromise of Microsoft’s durabletask Python SDK on PyPI. The [package](https://learn.microsoft.com/en-us/azure/durable-task/common/what-is-durable-task) is a framework for building fault-tolerant workflows and orchestrations to automate distributed transactions and other workflows. It receives 400,000 downloads per month.\n\nThe compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. The attack, which has been linked to a threat actor tracked as TeamPCP, poisoned the durabletask package after compromising Microsoft credentials for publishing the package. The technique allows attackers to bypass the repository’s build pipeline entirely.\n\nThe malware used in the attack is tracked as Miasma. It’s essentially a clone of TeamPCP’s Mini Shai-Hulud toolkit, which the threat actor open-sourced recently. Security firm Cloudsmith [said](https://cloudsmith.com/blog/miasma-worms-path-of-destruction) the malware harvests OIDC (OpenID-Connect) token credentials that are used in SLSA (Supply-chain Levels for Software Artifacts) [provenance attestation](https://docs.github.com/en/actions/concepts/security/artifact-attestations), a method for providing cryptographically signed guarantees of a software’s integrity.\n\nAs was the case in the May compromise of Microsoft’s durabletask, the one last week made use of the functionality to steal a legitimate Microsoft OIDC token. It was also used in a separate supply-chain attack poisoning [dozens of Red Hat packages](https://arstechnica.com/security/2026/06/dozens-of-red-hat-packages-backdoored-through-its-offical-npm-channel/).", "url": "https://wpnews.pro/news/for-the-2nd-time-in-weeks-microsoft-packages-laced-with-credential-stealer", "canonical_source": "https://arstechnica.com/security/2026/06/for-the-2nd-time-in-weeks-microsoft-packages-laced-with-credential-stealer/", "published_at": "2026-06-08 18:34:23+00:00", "updated_at": "2026-06-11 17:12:00.145744+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "ai-tools"], "entities": ["Microsoft", "GitHub", "StepSecurity", "OpenSourceMalware"], "alternates": {"html": "https://wpnews.pro/news/for-the-2nd-time-in-weeks-microsoft-packages-laced-with-credential-stealer", "markdown": "https://wpnews.pro/news/for-the-2nd-time-in-weeks-microsoft-packages-laced-with-credential-stealer.md", "text": "https://wpnews.pro/news/for-the-2nd-time-in-weeks-microsoft-packages-laced-with-credential-stealer.txt", "jsonld": "https://wpnews.pro/news/for-the-2nd-time-in-weeks-microsoft-packages-laced-with-credential-stealer.jsonld"}}