Late last week, Microsoft faced a significant cybersecurity breach involving the compromise of numerous cryptographically verified open-source packages. These packages were manipulated to include sophisticated credential-stealing code, which activated when developers interacted with them via AI coding agents.
Researchers identified at least 73 packages that had been deemed malicious after automated systems on GitHub flagged them. Rather than acknowledging the potential threats to developers utilizing AI tools, GitHub, which is owned by Microsoft, attributed the package suspensions to violations of its terms of service and suggested that package owners reach out for further clarification.
Developers Advised to Assume Compromise
It was not until the following Monday that Microsoft acknowledged the likelihood of compromised packages. In a communication, the company stated it had temporarily removed certain repositories while investigating potential malicious content.
This incident marks the second supply-chain attack on an official Microsoft repository within a two-month period. In mid-May, a breach was documented concerning Microsoft’s durabletask Python SDK available on the PyPI platform. This SDK, crafted for building fault-tolerant workflows and orchestrating distributed transactions, enjoys approximately 400,000 downloads monthly.
The compromised packages executed a payload of 28 KB designed to extract credentials from various cloud service providers, including AWS, Azure, and GCP, as well as from password managers and over 90 developer tool configurations. It facilitates lateral movement through cloud infrastructures to further infect developer machines. This sophisticated attack has been associated with the threat actor known as TeamPCP, which allegedly exploited Microsoft credentials to publish the modified durabletask package, thereby circumventing traditional repository security measures.
The malware employed in this breach is identified as Miasma, a derivative of TeamPCP’s recently open-sourced Mini Shai-Hulud toolkit. According to reports, Miasma is designed to harvest OpenID-Connect token credentials, integral to Supply-chain Levels for Software Artifacts provenance attestation, providing cryptographically verifiable assurances of software integrity.
Similar to the earlier breach involving the durabletask package, last week’s incident also capitalized on the capability to exfiltrate legitimate Microsoft OIDC tokens. This methodology has previously been documented in a separate supply-chain attack that affected numerous Red Hat packages.
In terms of threat tactics, the MITRE ATT&CK framework illustrates several adversary techniques that could have been utilized in this attack. Initial access could have been gained through exploitation of trust in package maintenance. Persistence may have been achieved through backdoor installation within the compromised packages, while privilege escalation might involve the misuse of legitimate credentials to further access sensitive systems. Such breaches underscore the growing need for vigilance in the open-source software ecosystem, especially as developers increasingly rely on AI coding agents.