For the 2nd time in weeks, Microsoft packages laced with credential stealer

Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding agents.

In all, multiple researchers said, 73 packages were flagged as malicious when automated systems on GitHub blocked them on the platform. Rather than noting they are malicious—and that developers who used AI agents to work with them should assume their systems are compromised—the Microsoft-owned GitHub said it disabled the packages “due to a violation of GitHub’s terms of service.” The text went on to encourage the package owner to contact GitHub.

Devs: Assume compromise and proceed accordingly

It wasn’t until Monday that Microsoft even raised the possibility the packages were infected. In an email, the company stated: “We have temporarily removed some repositories as we investigate potential malicious content.”

The incident is the second supply-chain attack in as many months to breach an official Microsoft repository account. In mid May, the firm StepSecurity documented the compromise of Microsoft’s durabletask Python SDK on PyPI. The package is a framework for building fault-tolerant workflows and orchestrations to automate distributed transactions and other workflows. It receives 400,000 downloads per month.

The compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. The attack, which has been linked to a threat actor tracked as TeamPCP, poisoned the durabletask package after compromising Microsoft credentials for publishing the package. The technique allows attackers to bypass the repository’s build pipeline entirely.

The malware used in the attack is tracked as Miasma. It’s essentially a clone of TeamPCP’s Mini Shai-Hulud toolkit, which the threat actor open-sourced recently. Security firm Cloudsmith said the malware harvests OIDC (OpenID-Connect) token credentials that are used in SLSA (Supply-chain Levels for Software Artifacts) provenance attestation, a method for providing cryptographically signed guarantees of a software’s integrity.

As was the case in the May compromise of Microsoft’s durabletask, the one last week made use of the functionality to steal a legitimate Microsoft OIDC token. It was also used in a separate supply-chain attack poisoning dozens of Red Hat packages.

“The genius of this Miasma worm lies in how it adhered to legitimate workflows,” Cloudsmith said. “It does not exploit any software vulnerability in GitHub or npm. Instead, it exploits the underlying trust model of the modern engineering ecosystem.” The company continued:

Compromised dev creds led to a legitimate GitHub OIDC token being requested. This was followed by a malicious build being published with valid SLSA provenance, which ultimately led to conventional scanners seeing it as a routine trusted update. By stealing legitimate maintainer credentials, the worm was able to act exactly as an authenticated publisher would have.

Furthermore, Miasma generates a uniquely encrypted payload for each individual infection. This means traditional hash-based IOCs are functionally useless for broad detection, as the file signature changes with every single package version. Andrew McNamara of Red Hat explained in a dedicated blog post where SLSA’s boundaries fall short.

While previous iterations of the Mini Shai-Hulud malware have focused purely on local secret scraping, the Miasma worm appears to have advanced data collectors specifically engineered for cloud identities in GCP and Azure. It attempts to harvest every cloud identity the infected developer machine and CI/CD runners have access to, proving a clear intent from the threat actors to leverage access away from the codebase and directly into live cloud environments.

The credential-stealing function in the Miasma worm infecting the Microsoft packages was triggered as soon as a developer opened it in AI agents, including Claude Code, Gemini CLI, Cursor, and VS Code. Follow-on attacks are likely to occur in the highly feasible event that credentials were successfully harvested from machines that opened the packages in one of the affected AI agents.

The Microsoft GitHub account compromised in the May attack is the same one used late last week. The explanation for this double compromise isn’t currently known. It may mean that Microsoft failed to fully change credentials for the account. It might also be the result of an unknown package run on a Microsoft developer machine that stole the new credentials. Microsoft isn’t providing details at the moment.

The self-replicating cryptographic verification of the malicious packages and the ability to bypass hash-based detection make the attacks difficult to detect. And as the subsequent compromise of the same Microsoft account shows, these breaches can be hard to fully remediate. Anyone who touched any one of the 73 packages—listed here—should drop whatever else they’re doing and thoroughly investigate, lest there are any compromised credentials that will be used in future attacks.