Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Many cryptographically verified open source packages from Microsoft were compromised late last week to add a popular hacking code that was introduced when developers unlocked in AI coding agents.
all, more researchers he said73 packages were reported as malicious when the development system on GitHub banned them from the platform. Instead of admitting they’re malicious — and that developers who used AI to work with them must think their systems are vulnerable — Microsoft’s GitHub said it blocked the packages “due to a violation of GitHub’s policies.” The message went on to encourage the package owner to contact GitHub.
Devs: Consider compromising and moving on
It wasn’t until Monday that Microsoft indicated that the package may have been infected. In an email, the company said: “We have temporarily removed some databases while we investigate what may have happened.”
This incident is the second attack in a few months to compromise an authorized Microsoft account. In mid-May, the company StepSecurity documents compatibility of Microsoft’s durabletask Python SDK on PyPI. The package is a framework for building fault-tolerant workflows and orchestrators to distribute data shared by other workflows. It receives 400,000 downloads per month.
The compromise packages provided a 28 KB payload that steals information from AWS, Azure, GCP, Kubernetes, password managers, and changes more than 90 tools. It spreads around through cloud infrastructure to infect other production systems. The attack, which has been linked to a threat actor identified as TeamPCP, corrupted the durabletask package after compromising Microsoft’s credentials for publishing the package. This method allows the attackers to bypass the entire database pipeline.
The malware used in the attack is identified as Miasma. It is similar to TeamPCP’s Mini Shai-Hulud kit, which the attacker recently unlocked. Security company Cloudsmith he said malware harvests OIDC (OpenID-Connect) tokens used in SLSA (Supply-chain Levels for Software Artifacts) birth certificatea way to provide privately signed guarantees of software integrity.
As was the case in the May compromise of Microsoft’s durabletask, last week it used the task to steal Microsoft’s official OIDC token. It was also used to poison the supply chain many Red Hat packages.
