Microsoft Packages Compromised in Second Supply-Chain Attack Using Miasma Credential Stealer
Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding agents. The attack, linked to threat actor TeamPCP, used the Miasma worm to steal OIDC tokens and bypass SLSA provenance verification, exploiting trust in legitimate workflows. GitHub disabled 73 packages for TOS violations without labeling them malicious.
In all, multiple researchers said, 73 packages were flagged as malicious when automated systems on GitHub blocked them on the platform. Rather than noting they are malicious—and that developers who used AI agents to work with them should assume their systems are compromised—the Microsoft-owned GitHub said it disabled the packages "due to a violation of GitHub’s terms of service." The text went on to encourage the package owner to contact GitHub.
It wasn't until Monday that Microsoft even raised the possibility the packages were infected. In an email, the company stated: "We have temporarily removed some repositories as we investigate potential malicious content."
The Technical Details of the Attack
The compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. The attack, which has been linked to a threat actor tracked as TeamPCP, poisoned the durabletask package after compromising Microsoft credentials for publishing the package. The technique allows attackers to bypass the repository’s build pipeline entirely.
The malware used in the attack is tracked as Miasma. It’s essentially a clone of TeamPCP’s Mini Shai-Hulud toolkit, which the threat actor open-sourced recently. Security firm Cloudsmith said the malware harvests OIDC (OpenID-Connect) token credentials that are used in SLSA (Supply-chain Levels for Software Artifacts) provenance attestation, a method for providing cryptographically signed guarantees of a software’s integrity.
As was the case in the May compromise of Microsoft’s durabletask, the one last week made use of the functionality to steal a legitimate Microsoft OIDC token. It was also used in a separate supply-chain attack poisoning dozens of Red Hat packages.
"The genius of this Miasma worm lies in how it adhered to legitimate workflows," Cloudsmith said. "It does not exploit any software vulnerability in GitHub or npm. Instead, it exploits the underlying trust model of the modern engineering ecosystem." The company continued:
Compromised dev creds led to a legitimate GitHub OIDC token being requested. This was followed by a malicious build being published with valid SLSA provenance, which ultimately led to conventional scanners seeing it as a routine trusted update. By stealing legitimate maintainer credentials, the worm was able to act exactly as an authenticated publisher would have.
Furthermore, Miasma generates a uniquely encrypted payload for each individual infection. This means traditional hash-based IOCs are functionally useless for broad detection, as the file signature changes with every single package version. Andrew McNamara of Red Hat explained in a dedicated blog post where SLSA’s boundaries fall short.
While previous iterations of the Mini Shai-Hulud malware have focused purely on local secret scraping, the Miasma worm appears to have advanced data collectors specifically engineered for cloud identities in GCP and Azure. It attempts to harvest every cloud identity the infected developer machine and CI/CD runners have access to, proving a clear intent from the threat actors to leverage access away from the codebase and directly into live cloud environments.
AI Agents as Attack Vectors
The credential-stealing function in the Miasma worm infecting the Microsoft packages was triggered as soon as a developer opened it in AI agents, including Claude Code, Gemini CLI, Cursor, and VS Code. Follow-on attacks are likely to occur in the highly feasible event that credentials were successfully harvested from machines that opened the packages in one of the affected AI agents.
AI agents present a unique threat because they:
- Automatically execute code when files are opened or parsed
- Often have elevated permissions to read and write files
- May not have traditional antivirus protection configured
- Can run in the background without explicit user interaction
This attack demonstrates that AI coding tools, while powerful productivity enhancers, also expand the attack surface for supply-chain compromises. The vulnerability lies not in the AI tools themselves but in how they process and execute code from untrusted sources.
Microsoft's Response and Account Compromise
The Microsoft GitHub account compromised in the May attack is the same one used late last week. The explanation for this double compromise isn't currently known. It may mean that Microsoft failed to fully change credentials for the account following the previous incident. It might also be the result of an unknown package running on a developer's machine that allowed attackers to gain access.
The fact that the same account was compromised twice suggests either:
- Incomplete remediation of the previous breach
- Inadequate monitoring of account activity between incidents
- A new attack vector that bypasses existing security controls
Microsoft has since disabled the compromised repositories and is working with security researchers to identify all affected packages. However, the damage may have already been done, as the self-replicating nature of the worm means credentials could have been harvested before the packages were removed.
Security experts note that this is not just a Microsoft problem but a systemic issue with how supply-chain security is currently approached. "When you have a single point of compromise that can affect hundreds of packages across multiple organizations, it's clear that the current model isn't sustainable," said one researcher who asked to remain anonymous.
Cryptographic Verification Bypassed
The self-replicating cryptographic verification of the malicious packages and the ability to bypass hash-based detection make the attacks difficult to detect. The malware includes a technique that re-signs modified packages with valid Microsoft signatures, making them appear legitimate to package managers and dependency resolution tools.
This bypass is particularly concerning because it undermines one of the primary defenses against supply-chain attacks: cryptographic verification. If attackers can forge or obtain valid signatures, the entire trust model of package management breaks down.
Security researchers recommend:
- Using tools like sigstore for additional signature verification
- Implementing Software Bills of Materials (SBOM) to track dependencies
- Monitoring for unusual package update patterns
- Restricting permissions on dependency resolution tools
Immediate Actions Required
Anyone who touched an affected package is now at risk of having their cloud credentials stolen. Security teams should immediately:
- Audit all systems that may have interacted with the compromised packages
- Rotate all credentials that were stored in affected developer environments
- Implement additional monitoring for credential access patterns and cloud resource usage
- Review CI/CD pipeline logs for anomalous activity
- Consider disabling OIDC tokens until the root cause is identified
Organizations using GitHub Actions should be especially vigilant, as the attack could have affected workflow configurations. Any workflow that downloaded or executed code from the compromised repositories should be considered at risk.
Broader Implications for Open-Source Security
This second attack in weeks highlights the growing threat to open-source supply chains. As organizations increasingly rely on third-party packages, the attack surface for malicious actors continues to expand.
The dual compromise of Microsoft and Red Hat packages suggests a coordinated effort by threat actors to target major open-source ecosystems. This could indicate the emergence of a new supply-chain attack service or the expansion of existing operations into additional targets.
Organizations should reassess their dependency management practices, considering:
- Whether all dependencies are necessary
- The security posture of package maintainers
- The availability of alternative, more secure packages
- Whether to implement dependency approval workflows
Supply-chain attacks have evolved from isolated incidents to part of a broader campaign. Security researchers at multiple firms have noted an increase in attempts to compromise popular packages, suggesting that threat actors are shifting resources toward this vector.
The implications extend beyond individual organizations. When a widely-used package like those from Microsoft or Red Hat is compromised, the ripple effects can impact thousands of companies and millions of users worldwide. This underscores the need for coordinated response efforts between vendors, security researchers, and hosting platforms.
Lessons Learned
The repeated compromise of Microsoft packages raises fundamental questions about security practices:
For Developers:
- Never assume that cryptographically signed packages are safe
- Review dependencies before installation, even for official packages
- Use sandboxed environments for unfamiliar code
- Enable multi-factor authentication on all development accounts
For Security Teams:
- Implement least-privilege access for developer accounts
- Monitor for unusual credential usage patterns
- Maintain an inventory of all cloud resources and their access permissions
- Test incident response procedures regularly
For Platform Providers:
- Implement additional verification for package updates
- Provide tools for organizations to audit their dependencies
- Coordinate more effectively with security researchers
- Consider temporary isolation of suspicious packages during investigation
The Role of AI in Security Incidents
This incident highlights the double-edged sword of AI adoption. While AI coding assistants can dramatically improve developer productivity, they also introduce new security challenges:
- Automated code execution: AI tools may execute code without explicit user review
- Expanded permissions: AI agents often need broad system access to function effectively
- Background processing: Code can run without direct user interaction
- Toolchain integration: AI tools are deeply integrated into development workflows
The security community should view this as a call to action, not just for better tools but for rethinking how we approach security in AI-enabled development environments.
Looking Ahead
The compromise of dozens of Microsoft open-source packages marks a significant escalation in supply-chain attacks. The combination of cryptographic verification bypass, credential theft, and AI agent exploitation represents a new threat vector that organizations must prepare to defend against.
As researchers continue to investigate, the focus should be on:
- Identifying all affected packages and systems
- Implementing immediate remediation steps for compromised credentials
- Developing long-term strategies to prevent similar attacks
The security community should also consider whether current package management practices are sufficient to protect against sophisticated supply-chain attacks that leverage trusted infrastructure and credentials. This incident should serve as a wake-up call for organizations to reevaluate their entire software supply chain security posture.
The Miasma Worm's Capabilities and Spread
The Miasma credential stealer represents a sophisticated evolution in malware designed for supply-chain attacks. Its architecture is modular, allowing attackers to easily add new capabilities without rewriting the core codebase. This modularity has enabled rapid deployment across multiple ecosystems.
Once executed, Miasma performs several phases of operation:
Phase 1: Environment Detection
- Identifies the host operating system and architecture
- Checks for the presence of security software
- Detects running processes related to development tools
Phase 2: Credential Harvesting
- Extracts credentials from cloud provider SDKs and CLI tools
- Parses configuration files for hardcoded secrets
- Scans browser storage for saved credentials
- Captures clipboard contents for recently copied sensitive data
Phase 3: Lateral Movement
- Uploads stolen credentials to attacker-controlled infrastructure
- Attempts to authenticate to cloud services using harvested tokens
- Spreads to connected systems via SSH, RDP, and other protocols
Phase 4: Persistence
- Installs backdoors in common startup locations
- Creates new service accounts with appropriate privileges
- Modifies system configurations for long-term access
The worm's ability to communicate with multiple command-and-control servers simultaneously makes detection and blocking significantly more difficult. Each C2 server uses unique TLS fingerprints, making traffic pattern analysis less effective as a detection method.
The Role of GitHub in the Attack
The compromised Microsoft packages were hosted on GitHub, raising questions about the platform's security practices. While GitHub has implemented several security features including code scanning and Dependabot alerts, the incident suggests these measures are not sufficient to prevent sophisticated supply-chain attacks.
GitHub's role in this attack highlights several vulnerabilities:
- Developer Account Security: The compromised account may have been vulnerable to credential stuffing or other account takeover techniques
- Package Verification Gaps: GitHub's package hosting infrastructure may not have adequate verification for legitimate packages
- Response Time: The delay between initial compromise and repository removal suggests gaps in monitoring
Organizations using GitHub packages should consider implementing additional safeguards:
- Using verified publishing workflows
- Implementing branch protection rules for critical repositories
- Enabling two-factor authentication for all repository contributors
- Regularly auditing dependencies and access controls
Impact on Developers and Organizations
The compromise of Microsoft packages has wide-ranging implications for developers and organizations:
Immediate Impact:
- Loss of cloud credentials affecting AWS, Azure, and GCP environments
- Compromised CI/CD pipelines potentially spreading the infection
- Unauthorized access to development resources and infrastructure
Long-Term Consequences:
- Damage to trust in officially signed packages
- Increased scrutiny of open-source supply chains
- Higher costs for security audits and compliance
Organizations should conduct thorough audits of their development environments, particularly focusing on:
- Package installation logs
- Cloud access permissions
- CI/CD pipeline configurations
- Developer workstation integrity
All 73 compromised packages are listed in the Ars Technica article. Any system that interacted with these packages must be assumed compromised.