For the 2nd time in weeks, Microsoft packages laced with credential stealer

2026-06-08 · Source: AI - Ars Technica · Field: Technology & Digital — Cybersecurity & Data Privacy, Software Development & Engineering, Artificial Intelligence & Machine Learning · Depth: Advanced, short

Summary

Dozens of cryptographically verified open-source packages from Microsoft were compromised late last week, marking the second such supply-chain attack in as many months. A total of 73 packages were flagged as malicious on GitHub, containing advanced credential-stealing code. This malware, tracked as Miasma and linked to TeamPCP, is a clone of the Mini Shai-Hulud toolkit. It executes a 28 KB payload designed to harvest credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations, then spreads laterally through cloud infrastructures. The attack exploits the modern engineering ecosystem's trust model by using compromised developer credentials to publish malicious builds with valid SLSA provenance, making them appear legitimate. Miasma generates uniquely encrypted payloads, rendering traditional hash-based detection ineffective. The credential-stealing function activates when packages are opened in AI coding agents like Claude Code, Gemini CLI, Cursor, and VS Code.

Key takeaway

For MLOps Engineers or Security Engineers managing software supply chains, if your team used any of the 73 compromised Microsoft packages, you must immediately assume system compromise. Thoroughly investigate all developer machines and CI/CD runners that interacted with these packages, especially if opened in AI coding agents like Cursor or Gemini CLI. Prioritize rotating all potentially exposed credentials, as the attack bypasses traditional detection and exploits trust, making remediation complex.

Key insights

Supply chain attacks exploit trust models, not vulnerabilities, using compromised credentials to publish cryptographically verified malicious packages.

Principles

• Trust models are primary attack vectors.
• Legitimate credentials bypass build pipelines.
• Unique payloads defeat hash-based detection.

Method

Attackers compromise developer credentials to request legitimate GitHub OIDC tokens, publish malicious builds with valid SLSA provenance, and trigger credential theft via AI coding agents.

In practice

• Assume compromise if using affected packages.
• Thoroughly investigate systems that touched packages.
• Re-evaluate credential management for publishing.

Topics

• Supply Chain Attacks
• Credential Theft
• Miasma Malware
• OIDC Tokens
• SLSA Provenance
• AI Coding Agents
• Cloud Security

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Security Engineer, MLOps Engineer

Related on AIssential

• Microsoft’s open source tools were hacked to steal passwords of AI developers — Hackers are exploiting open source supply chains, even within major tech companies, to steal developer credentials.
• Fake Claude Code Installers Deliver Credential-Stealing Malware — Fake AI tool installers exploit unchecked trust to deploy sophisticated credential-stealing malware targeting developer assets.
• Valid certificates, stolen accounts: how attackers broke npm's last trust signal — Automated trust signals in developer tools are broken by credential theft and design flaws, enabling widespread supply chain attacks.
• Your Laptop Is the New Perimeter: The Real Lesson of the 2026 Supply-Chain Attacks — Supply-chain attacks now target developer environments and build systems, shifting the security perimeter from traditional datacenters.
• GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK — Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.
• Kaspersky suspects Chinese hackers planted a backdoor into Daemon Tools in ‘widespread’ attack — A widespread supply chain attack compromised Daemon Tools, enabling targeted malware delivery to thousands of Windows systems.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by AI - Ars Technica.