Microsoft Packages: Assume Compromise

Microsoft packages now sit on the front line of a sophisticated supply chain attack targeting developers directly through their AI coding tools. It's a serious threat. Dozens of cryptographically verified open-source packages from Microsoft were compromised late last week, and malicious actors injected advanced credential-stealing code that automatically executes the moment a developer opens them in an AI coding agent.

This campaign is massive in scale. GitHub's automated systems flagged and blocked 73 packages on the platform, but rather than explicitly warning developers that the packages were malicious, they simply disabled them and cited a violation of its terms of service. It's quiet. So this removal left many developers completely in the dark about the active threat to their systems.

AI agents trigger the trap

It's a catch. The credential-stealing function triggers as soon as a developer opens the compromised Microsoft packages in popular AI assistants, so it doesn't wait for a manual build or deployment to run. But that's the danger.

The infected packages target several widely used tools:

• Claude Code
• Gemini CLI
• Cursor
• VS Code

Act immediately if you've opened any affected package in these environments. It's a 28 KB file that targets highly sensitive developer data, and it harvests credentials from AWS, Azure, GCP, Kubernetes, and password managers alongside more than 90 developer tool configurations. So don't wait.

Anatomy of the Miasma worm

The malware driving this attack is tracked as Miasma. It clones the Mini Shai-Hulud toolkit, which TeamPCP open-sourced, but unlike older variants that only scraped local secrets, Miasma features advanced data collectors specifically engineered for cloud identities. And it tries to harvest them all.

Exploiting the trust model

This attack doesn't rely on traditional software vulnerabilities. It exploits the underlying trust model of the modern software engineering ecosystem instead. So the attackers compromised Microsoft credentials used for publishing the packages, which allowed them to bypass the repository build pipeline entirely. That's the core issue.

Compromised dev creds led to a legitimate GitHub OIDC token being requested. This was followed by a malicious build being published with valid SLSA provenance, which ultimately led to conventional scanners seeing it as a routine trusted update.

The attackers stole legitimate maintainer credentials. So the worm acted exactly like an authenticated publisher, requesting a legitimate GitHub OpenID-Connect token used in Supply-chain Levels for Software Artifacts provenance attestation. This cryptographic signature made the malicious update appear entirely trustworthy to standard security scanners. It's a frightening deception.

Useless file signatures

Traditional defense mechanisms won't help you here. Miasma generates a uniquely encrypted payload for each individual infection, and since the file signature changes with every single package version, traditional hash-based indicators of compromise are functionally useless for broad detection.

A repeating pattern of compromise

This isn't an isolated event. It's the second supply chain attack in just two months to breach an official Microsoft repository account, compromising a widely used Python SDK that gets 400,000 downloads per month. But the attackers used the exact same technique in mid-May.

The durabletask connection

The durabletask framework builds fault-tolerant workflows and orchestrates distributed transactions. Threat actors used the same compromised Microsoft GitHub account in both the May attack and the incident late last week. But why this account was compromised twice remains unclear. It's a strange oversight.

Microsoft may not have fully rotated credentials after the first breach. But it's also possible a developer machine at Microsoft ran an unknown malicious package that stole the new credentials, a scenario that would explain the second intrusion without requiring a separate attack vector. Microsoft hasn't provided details. We're still in the dark.

The threat of lateral movement

The danger doesn't stop at the developer workstation. Once the Miasma worm steals cloud credentials, it attempts to spread laterally through cloud infrastructures to infect other developer machines, shifting access away from the local codebase and moving directly into live production cloud environments. So the ultimate goal is clear.

Immediate steps for developers

Here is the deal. If you or your CI/CD pipelines touched any of the 73 compromised packages, you must assume your systems are compromised and proceed accordingly. Do not wait for a patch or an official notification.

Second, revoke and rotate every credential stored on those affected machines, including AWS keys, Azure tokens, GCP service accounts, and Kubernetes secrets. But don't stop there. Finally, inspect your cloud environments for any signs of lateral movement or unauthorized access, because follow-on attacks are highly likely if the harvested credentials remain active, so it's critical you act fast before they're exploited.