Microsoft Open Source Packages Compromised in Miasma Supply Chain Attack

Microsoft Open Source Packages Compromised in Miasma Supply Chain Attack

June 11, 2026 discoverhiddenusacom Technology

What happened in the Microsoft supply-chain attack?

Dozens of Microsoft-owned open source packages were compromised last week, embedding credential-stealing code that activated when developers used AI coding agents. According to StepSecurity and OpenSourceMalware, 73 repositories were flagged as malicious and disabled by GitHub, though the platform cited a “terms of service violation” rather than explicitly labeling them as malicious. Microsoft later acknowledged the incident, stating it had temporarily removed repositories “as we investigate potential malicious content.”

The attack leveraged a 28 KB payload designed to steal credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer tools. Security firm Cloudsmith linked the malware to TeamPCP, a threat actor previously associated with the May 2026 compromise of Microsoft’s durabletask Python SDK, which saw 400,000 monthly downloads.

How did the attack bypass security measures?

The malware, tracked as Miasma, exploited compromised Microsoft credentials to publish malicious updates to trusted repositories. By stealing a legitimate Microsoft OIDC (OpenID-Connect) token, attackers bypassed GitHub’s build pipeline entirely. This method allowed them to inject code without triggering automated security checks, according to Cloudsmith. The attack also spread laterally through cloud infrastructures, infecting other developer machines.

How did the attack bypass security measures?

This technique mirrors a separate supply-chain attack that poisoned dozens of Red Hat packages via its official npm channel in June 2026, highlighting a growing trend of targeting trusted identities and CI/CD pipelines.

Why this attack matters for developers

The incident underscores the risks of relying on AI coding agents, which can unknowingly execute malicious code from compromised packages. Developers using tools like GitHub Actions or Azure Functions should assume systems are compromised if they interacted with the affected repositories, as advised by StepSecurity. The attack also exposes vulnerabilities in supply-chain security, particularly with SLSA (Supply-chain Levels for Software Artifacts) provenance attestation, which relies on cryptographically signed guarantees of software integrity.

“The ability to steal OIDC tokens and use them to forge trust in malicious packages is a critical flaw,” said Cloudsmith. “This isn’t just about one compromised repo—it’s about the entire ecosystem of trust in open-source software.”

What are the broader implications for software security?

The attack highlights a shift in cybercrime tactics, where threat actors target the “trust layer” of software development rather than individual systems. By compromising Microsoft’s credentials, attackers gained access to a vast network of developers and organizations reliant on its tools. This aligns with a 2025 report by the Open Source Security Foundation, which found that 70% of supply-chain attacks now target CI/CD pipelines and package managers.

Experts warn that as AI coding agents become more prevalent, the attack surface for such threats will expand. “The faster developers adopt AI tools, the more critical it is to secure the underlying infrastructure,” said a researcher at StepSecurity. “This attack is a wake-up call for stricter verification processes in open-source ecosystems.”

Did you know?

The Miasma malware is a clone of TeamPCP’s Mini Shai-Hulud toolkit, which the group open-sourced in late 2025. This suggests a growing trend of threat actors sharing tools to automate supply-chain attacks.

Did you know?

What should developers do next?

StepSecurity recommends developers:
– Audit all dependencies for the affected Microsoft packages.
– Revoke and regenerate OIDC tokens used in CI/CD pipelines.
– Monitor cloud environments for unusual activity, such as unauthorized access to credentials.
– Use multi-factor authentication (MFA) for all developer accounts.
– Report suspicious packages to GitHub’s security team immediately.

How does this compare to past attacks?

The May 2026 durabletask compromise and the recent incident share similarities: both involved TeamPCP, exploited stolen Microsoft credentials, and targeted widely used packages. However, the latest attack specifically targeted AI coding agents, a newer vector that amplifies the risk. In contrast, the May attack focused on Python SDKs, which are more common in data science workflows.

Miasma Supply Chain Attack | Visually Simplified

FAQ: Common questions about the attack

What is Miasma?

Miasma is a credential-stealing malware linked to the TeamPCP threat actor. It spreads by stealing OIDC tokens and injecting malicious code into trusted repositories, according to Cloudsmith.

How did the attack affect GitHub?

GitHub disabled 73 repositories but did not explicitly label them as malicious. Instead, it cited a “terms of service violation,” which critics argue downplays the severity of the breach.

How did the attack affect GitHub?

What steps can organizations take to prevent similar attacks?

Organizations should enforce strict access controls, monitor for unusual API activity, and adopt zero-trust principles for CI/CD pipelines. Regular security audits and employee training are also critical.

Pro tip: Secure your AI coding workflows

AI coding agents like GitHub Copilot or Azure AI