Are These Microsoft packages Safe? What to Know

Last week, developers opened Microsoft packages in AI coding agents and triggered a massive attack that compromised 73 cryptographically verified open-source packages on GitHub. It’s still spreading. But GitHub’s automated systems blocked the malicious credential-stealing files, so the fallout isn’t contained yet, and we can’t ignore this,if you use AI assistants in your workflow, you need to understand what happened immediately.

Here's the deal. The affected repositories didn't just contain bad code. They carried a highly sophisticated payload designed to strip your systems of critical access keys, and this is the second time in a matter of months that a major Microsoft repository account has been breached. So if you're wondering whether this matters, it does, and here's why.

How the attack bypassed security

This wasn't a standard exploit. The threat actor, tracked as TeamPCP, didn't find a vulnerability in GitHub or npm, so they compromised legitimate Microsoft publishing credentials to bypass the standard build pipeline completely and publish malicious updates directly.

Once inside, the attackers used a malware strain tracked as Miasma. It's a clone of TeamPCP's Mini Shai-Hulud toolkit. And the clever part of this attack lies in how it abused the trust model of modern software engineering by harvesting OpenID-Connect tokens used in Supply-chain Levels for Software Artifacts provenance attestation. So because it had these tokens, standard security scanners saw the malicious updates as routine, trusted releases.

But the IOCs tell another story. The malware generates a uniquely encrypted payload for every single infection, so traditional hash-based detection methods are useless because the file signature changes with every package version.

The specific tools targeted

These Microsoft packages hide a credential-stealing function. It specifically targets developers who use modern AI workflows. But the payload doesn't activate until the moment a developer opens the package inside a specific AI tool, and the full list of affected AI agents includes.

• Claude Code
• Gemini CLI
• Cursor
• VS Code

What the malware steals

The Miasma worm isn't just scraping local secrets. But it contains advanced data collectors specifically engineered for cloud environments, and it actively attempts to harvest credentials from multiple sources.

• Amazon Web Services (AWS)
• Microsoft Azure
• Google Cloud Platform (GCP)
• Kubernetes
• Password managers
• Over 90 developer tool configurations

The repeating pattern of compromise

Microsoft packages have been hit through this exact same vector before. So in mid-May, the firm StepSecurity documented a compromise of Microsoft's durabletask Python SDK on PyPI, a framework for building fault-tolerant workflows that receives 400,000 downloads per month. TeamPCP poisoned that package. They used the exact same GitHub account that was compromised last week.

Why did the same account get breached twice? No one knows. It's possible Microsoft failed to fully change the account credentials after the May incident, or a developer machine at Microsoft might have been running an unknown package that stole the new credentials. Microsoft has not provided details on the root cause.

Let me put it bluntly. You touched any of the 73 blocked packages, so you must assume your system is compromised. But don't think that's the end of it, because the malware attempts to move laterally through cloud infrastructures to infect other developer machines and live cloud environments.

What you must do now

So what does this mean for your inbox and your cloud console? You can't rely on GitHub's initial response. When GitHub blocked the 73 packages, it failed to explicitly warn users that those packages were malicious, instead stating it disabled them "due to a violation of GitHub's terms of service" and inviting the package owner to get in touch. But Microsoft later stated they temporarily removed some repositories while investigating potential malicious content.

As security firm Cloudsmith stated, "The genius of this Miasma worm lies in how it adhered to legitimate workflows. It does not exploit any software vulnerability in GitHub or npm. Instead, it exploits the underlying trust model of the modern engineering ecosystem.

Rotate all credentials immediately. But if you or your team opened any of these packages in an AI agent, that includes AWS keys, Azure tokens, GCP service accounts, and password manager vaults. Don't wait for a scanner to tell you there's a problem. Follow-on attacks are highly likely if the harvested credentials remain active, so you can't afford to delay.