For the 2nd time in weeks, Microsoft packages laced with credential stealer
Microsoft
For the second time in weeks, Microsoft open-source packages have been compromised with advanced credential-stealing code. This malicious code was activated when developers opened the packages in AI coding agents, leading to 73 packages being flagged as malicious by GitHub's automated systems. Unfortunately, GitHub initially reported these as "terms of service violations" rather than security breaches. Some 400,000 developers use Microsoft's durabletask Python SDK each month and have been affected.
The Compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. The Miasma worm, a clone of TeamPCP's Mini Shai-Hulud toolkit, is responsible for these attacks, harvesting OIDC token credentials and bypassing traditional security measures.
The Miasma worm excels at adhering to legitimate workflows, exploiting the trust model of modern engineering ecosystems rather than software vulnerabilities. It generates a uniquely encrypted payload for each infection, rendering traditional hash-based detection useless. This allows the malware to act as an authenticated publisher, making it extremely difficult to detect.
Unlike previous versions that focused on local secret scraping, the Miasma worm now targets cloud identities in GCP and Azure. It actively harvests every cloud identity accessible to infected developer machines and CI/CD runners, indicating a clear intent to leverage access directly into live cloud environments.
The credential-stealing function in the Miasma worm was triggered as soon as a developer opened the infected packages in AI agents like Claude Code, Gemini CLI, Cursor, and VS Code. The repeated compromise of the same Microsoft GitHub account suggests a failure to fully update credentials or a continuing vulnerability. Given the difficulty in detecting and remediating these breaches, any developer who used the compromised packages should investigate their systems thoroughly.
These ongoing attacks highlight significant vulnerabilities in software supply chains and the challenges of securing modern development environments. The sophisticated nature of the Miasma worm, combined with its ability to mimic legitimate activity, poses a serious threat to developers and cloud infrastructures alike.
Related articles
Build real agentic apps using CUGA: two dozen working examples on a lightweight harness
CUGA, IBM's open-source Agent Harness, simplifies building agentic applications by handling infrastructure, allowing developers to focus on tools and prompts. It offers pre-assembled components for planning, execution, and state management, significantly reducing development time. CUGA has topped agent benchmarks like AppWorld and WebArena.
OpenAI launches new initiative to help find and patch open source bugs
OpenAI has launched "Patch the Planet," a new initiative in partnership with cybersecurity firm Trail of Bits, to enhance the security of open-source projects. This program aims to assist maintainers in identifying and patching bugs, utilizing OpenAI's AI-powered security tools while reducing the burden on project teams.
PP-OCRv6 on Hugging Face: 50-Language OCR from 1.5M to 34.5M Parameters
Baidu has released PP-OCRv6, an advanced optical character recognition (OCR) model supporting 50 languages. Available on Hugging Face, this version significantly improves accuracy and efficiency across various parameter sizes, from 1.5 million to 34.5 million, marking a substantial leap in multilingual OCR technology.