73 Microsoft packages infected with credential stealer targeting AI agents

73 Microsoft packages deployed the Miasma credential stealer

Late last week, 73 open source packages under Microsoft accounts were compromised to execute credential-stealing payloads when opened by AI coding agents. GitHub's automated systems flagged them as malicious and blocked access on the platform. GitHub's initial disclosure buried the incident under a generic terms-of-service violation notice, encouraging package owners to contact support. Microsoft did not publicly acknowledge the breach until Monday, calling it a "potential malicious content" investigation.

The malware, tracked as Miasma, is a clone of the Mini Shai-Hulud toolkit open-sourced by threat actor TeamPCP. The payload steals credentials for AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructure to infect other machines.

The attacker weaponized a legitimate Microsoft OIDC token to sign the compromised packages cryptographically. That token is used in SLSA provenance attestation, a method meant to guarantee software integrity. By stealing the token, the attacker created packages that appeared verified and trustworthy to downstream systems.

This is the second breach of a Microsoft repository in as many months. In May, the durabletask Python SDK (400,000 downloads per month, per company reporting) was poisoned using the same technique. The May attack was also traced to TeamPCP and used the same credential-stealing playbook. Both attacks bypassed the repository's build pipeline by compromising the account credentials used to publish packages directly.

AI agents have become a direct attack surface for supply-chain poisoning

Traditional supply-chain attacks target build systems or package maintainers. These attacks target the code-execution environment itself. When an AI agent opens a compromised package without human review, the payload runs automatically. No maintainer approval. No code inspection. No build-time scanning. The agent treats the package as legitimate because it is cryptographically signed.

The attacker's choice to weaponize OIDC tokens is deliberate. These tokens are meant to authenticate build systems and CI/CD pipelines. Stealing them allows the attacker to sign future malicious packages or access other protected infrastructure. The same attack pattern appeared in a separate compromise of Red Hat packages, suggesting this is an active technique in the threat actor's arsenal.

Microsoft's delayed disclosure and GitHub's initial misdirection created a window where developers using AI agents could have unknowingly pulled compromised code into production environments. The threat actor had already achieved lateral spread through cloud infrastructure before Microsoft confirmed the breach publicly.

Assume systems are compromised if they used these packages with AI agents

If your development environment or CI/CD pipeline used any of the 73 compromised packages with AI agents, treat your credentials and cloud access as exposed. Audit your AWS, Azure, GCP, Kubernetes, and password manager logs for suspicious activity dating back to when the packages were introduced. Rotate any credentials that may have been used in those environments.

Immediately add a policy requiring human approval before AI agents open packages from any repository. Do not rely on signature verification or repository reputation alone. The attacker has proven that cryptographic signing can be co-opted by stealing legitimate publishing credentials.

If you publish packages to public repositories, secure your publishing credentials with hardware keys and rotate them immediately. Stolen credentials are the direct attack vector in both the May and current incidents. Generic password protection is insufficient.