律动BlockBeats|Jun 09, 2026 05:06
More than 70 open source libraries of Microsoft were poisoned by the Miasma worm, and the case of GitHub being emptied in May was attributed to accomplices
According to Beating monitoring, over 70 open-source code repositories hosted by Microsoft on GitHub have been urgently shut down due to the Miasma worm attack. The infected warehouses mainly include Azure Functions host processes and the Durable Task task orchestration framework Open source versions in multiple languages such as. NET, Java, Go, and JavaScript. The poisoning of Microsoft this time is related to the internal code theft case on GitHub in mid May. At that time, the hacker group TeamPCP launched a toxic VS Code extension on the Microsoft App Store, and a GitHub employee was tricked by downloading it within a short 11 minute online window, resulting in the theft of all credentials and keys on their computer. Hackers used these credentials to bypass the security net and stole approximately 3800 internal repositories on GitHub. After achieving success, TeamPCP publicly and open-source the self replicating worm framework Mini Shai Hulud on the forum. The Miasma worm that invaded Microsoft this time is a variant and upgraded version of Mini Shai Hulud. The operational mechanism of Miasma worm is specifically designed for AI programming scenarios. Hackers used previously stolen Microsoft contributor tokens to inject malicious code into trusted official repositories. Developers only need to open or analyze these contaminated projects in AI assistants such as Claude Code, cursor, or Gemini CLI, and the programming assistant will automatically trigger malicious payloads when parsing configuration files. After activation, the worm will scan the disk in the background, steal AWS, GCP, and Azure cloud credentials, as well as SSH keys, npm/PyPI tokens, and Kubernetes keys from the developer's computer, and use the newly obtained credentials to find the next GitHub repository for poisoning, achieving automated self replication. This is already the second time in weeks that the Microsoft Durable Task open source project has fallen (it was implanted with malicious Python dependency packages at the end of May). In response to the malicious submission in early June, GitHub's automatic defense system reacted extremely quickly, automatically shutting down 73 infected repositories within 105 seconds of code submission, successfully blocking the spread of the worm. At present, Microsoft has notified a small number of developers who have pulled the damaged code to urgently rotate credentials and gradually restore the affected repositories after security audits. Security agencies remind that as supply chain attacks evolve into automated worms targeting AI agent workflows, developers need to carefully evaluate the risks of running unknown warehouses directly in AI assistants. [Original link]
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink