In a sweeping supply-chain attack, malicious code was injected into dozens of Microsoft’s open source projects hosted on GitHub, allowing hackers to steal passwords and cloud credentials from developers using AI coding tools. It is the second known breach of Microsoft’s open source infrastructure in as many weeks.
What Happened
Microsoft has cut off access to at least 70 of its open source repositories on GitHub following a breach in which hackers injected credential-stealing malware into code used by AI developers. The company confirmed it “temporarily removed some repositories” and said it “notified a small number of customers who may have pulled down content from the affected repositories.”
The attack targeted tools related to Microsoft’s cloud service Azure and other projects used by developers building AI applications, including integrations with Claude Code, Gemini’s command line interface, and VS Code. When developers opened the compromised packages in these AI coding agents, the malware activated automatically, harvesting passwords and other sensitive credentials stored on their machines.
A Self-Replicating Worm Built for Cloud Infiltration
Security researchers at Cloudsmith and OpenSourceMalware were among the first to flag the breach. Their analysis revealed that the malware — a strain tracked as Miasma — is a sophisticated, self-replicating credential stealer. Unlike conventional malware that relies on a single file signature, Miasma generates a uniquely encrypted payload for every individual infection, making traditional hash-based detection largely ineffective.
Once activated inside an AI coding agent, Miasma scrapes credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then attempts to spread laterally through cloud infrastructures to infect other developer machines connected to the same environment.
“The genius of this Miasma worm lies in how it adhered to legitimate workflows,” Cloudsmith noted. “It does not exploit any software vulnerability in GitHub or npm. Instead, it exploits the underlying trust model of the modern engineering ecosystem.”
Bypassing Cryptographic Verification
What makes this attack particularly alarming is how it evaded standard security controls. The malware used stolen Microsoft credentials to obtain a legitimate GitHub OpenID Connect token, then published a malicious build with valid SLSA (Supply-chain Levels for Software Artifacts) provenance — a method for providing cryptographically signed guarantees of a software’s integrity. This allowed the infected package to appear as a routine trusted update to conventional scanners.
Red Hat security researcher Andrew McNamara explained in a blog post that SLSA’s boundaries fell short in this case. The Miasma worm specifically engineered advanced data collectors for cloud identities in GCP and Azure, attempting to harvest every cloud identity the infected developer machine and CI/CD runners had access to.
A Recurring Breach
This is not Microsoft’s first supply-chain incident in recent weeks. In mid-May, security firm StepSecurity documented the compromise of Microsoft’s durabletask Python SDK on PyPI — a tool that helps developers build fault-tolerant workflows and receives 400,000 downloads per month. That attack used a 28 KB payload to steal credentials from the same range of cloud platforms and developer tools.
The same Microsoft GitHub account compromised in May was used again in last week’s attack. Microsoft has not explained how the second breach occurred. Possibilities include an incomplete credential rotation following the first incident, or a separate compromise of a Microsoft developer machine that handed attackers the new credentials.
Developer Advisory: Assume Compromise
Security researchers are urging any developer who pulled content from Microsoft’s GitHub repositories in recent weeks to assume their systems are compromised. Affected developers should immediately rotate all credentials — especially cloud service tokens for AWS, Azure, and Google Cloud — and audit their CI/CD pipelines for unauthorized access.
While large tech companies typically have the resources to defend against these attacks, Microsoft’s second breach in as many months underscores the growing sophistication of supply-chain threat actors who specifically target the open source ecosystem trusted by AI developers.