Microsoft packages laced with credential stealer for second time

Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding agents.

73 malicious packages surfaced on GitHub. Multiple researchers said 73 packages were flagged as malicious when automated systems on GitHub blocked them on the platform. Rather than noting they are malicious and that developers who used AI agents to work with them should assume their systems are compromised, the Microsoft-owned GitHub said it disabled the packages due to a violation of GitHub’s terms of service. The text went on to encourage the package owner to contact GitHub.

Devs were told to assume compromise and proceed accordingly. It wasn’t until Monday that Microsoft even raised the possibility the packages were infected. In an email, the company stated: “We have temporarily removed some repositories as we investigate potential malicious content.”

This marks the second supply-chain attack on a Microsoft repository in as many months. In mid May, the firm StepSecurity documented the compromise of Microsoft’s durabletask Python SDK on PyPI. The package is a framework for building fault-tolerant workflows and orchestrations to automate distributed transactions and other workflows. It receives 400,000 downloads per month.

The compromised packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. The attack has been linked to a threat actor tracked as TeamPCP. The durabletask package was poisoned after compromising Microsoft credentials for publishing the package. The technique allows attackers to bypass the repository’s build pipeline entirely.

The malware is tracked as Miasma and clones an open-sourced toolkit. It’s essentially a clone of TeamPCP’s Mini Shai-Hulud toolkit, which the threat actor open-sourced recently. Security firm Cloudsmith said the malware harvests OIDC (OpenID-Connect) token credentials that are used in SLSA (Supply-chain Levels for Software Artifacts) provenance attestation, a method for providing cryptographically signed guarantees of a software’s integrity.

As was the case in the May compromise of Microsoft’s durabletask, the one last week made use of the functionality to steal a legitimate Microsoft OIDC token. It was also used in a separate supply-chain attack poisoning dozens of Red Hat packages. “The genius of this Miasma worm lies in how it adhered to legitimate workflows,” Cloudsmith said. “It does not exploit any software vulnerability in GitHub or npm. Instead, it exploits the underlying trust model of the modern engineering ecosystem.”

Compromised dev creds led to a legitimate GitHub OIDC token being requested. This was followed by a malicious build being published with valid SLSA provenance, which ultimately led to conventional scanners seeing it as a routine trusted update. By stealing legitimate maintainer credentials, the worm was able to act exactly as an authenticated publisher would have. Furthermore, Miasma generates a uniquely encrypted payload for each individual infection. This means traditional hash-based IOCs are functionally useless for broad detection, as the file signature changes with every single package version.

Andrew McNamara of Red Hat explained in a dedicated blog post where SLSA’s boundaries fall short. While previous iterations of the Mini Shai-Hulud malware have focused purely on local secret scraping, the Miasma worm appears to have advanced data collectors specifically engineered for cloud identities in GCP and Azure. It attempts to harvest every cloud identity the infected developer machine and CI/CD can access.