LIVE THREATS
CRITICAL Miasma Worm Targets AI Coding Agents via Poisoned Microsoft Packages // MEDIUM AI Security M&A Surge: Agentic Identity, LLM Evaluation, and Browser Control Targeted // HIGH Claude Code GitHub Action Leaked CI/CD Secrets via Prompt Injection // HIGH Gartner Flags Deepfakes and Prompt Injection Among Top Attacker Advantages // MEDIUM OpenAI Lockdown Mode Targets Prompt Injection Data Exfiltration Vector // HIGH Prototype AI Worm Carries Embedded LLM for Decentralised Self-Propagation // HIGH Unauthorized Access to Anthropic's Claude Mythos Exposes Agentic AI Defense Risks // MEDIUM Microsoft Scout Autonomous Agent Expands Attack Surface Across Microsoft 365 // HIGH High-Autonomy AI Agents With Broad Permissions Pose Enterprise Security Crisis // HIGH Indirect Prompt Injection via Notifications Hijacks Google Gemini on Android //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required Supply Chain Agentic AI LLM Security Industry News RELEVANCE ▲ 8.5

Miasma Worm Targets AI Coding Agents via Poisoned Microsoft Packages

SOURCE Ars Technica Security ↗
TL;DR CRITICAL
  • What happened: 73 Microsoft packages infected with Miasma credential stealer, triggered by AI coding agents.
  • Who's at risk: Developers using AI coding agents to work with Microsoft open source packages are directly exposed, with cloud credentials and developer tool configs at risk.
  • Act now: Audit all recently installed Microsoft npm/PyPI packages against the 73 flagged identifiers and treat any usage via AI agent as a full compromise event · Rotate all cloud credentials (AWS, Azure, GCP, Kubernetes) and secrets stored in password managers on any affected developer machines · Restrict AI coding agent permissions to read-only package access and enforce sandboxed execution environments before installing open source dependencies
Miasma Worm Targets AI Coding Agents via Poisoned Microsoft Packages

Overview

For the second time in under two months, official Microsoft-hosted open source packages have been found carrying the Miasma credential-stealing worm. In the most recent incident, 73 packages were flagged as malicious after automated systems on GitHub blocked them. The packages were weaponised to execute a credential-harvesting payload the moment a developer opened them inside an AI coding agent — a deliberate targeting of automated, agentic development workflows. The incident follows a May 2026 compromise of Microsoft’s durabletask Python SDK on PyPI, attributed to the same threat actor, TeamPCP.

Notably, GitHub’s initial public messaging described the removals as “a violation of GitHub’s terms of service” rather than explicitly warning of malicious content, delaying developer awareness and incident response.

Technical Analysis

The Miasma malware is derived from TeamPCP’s Mini Shai-Hulud toolkit, which the group open-sourced. Its primary infection vector exploits the trust model of modern software supply chains rather than any vulnerability in GitHub or npm infrastructure.

The attack chain proceeds as follows:

  1. Credential compromise: Attackers obtain legitimate Microsoft credentials used for publishing packages, bypassing the repository’s build pipeline entirely.
  2. OIDC token abuse: A legitimate GitHub OIDC (OpenID Connect) token is requested using the compromised credentials.
  3. Provenance spoofing: A malicious build is published with valid SLSA (Supply-chain Levels for Software Artifacts) provenance attestation — cryptographically signed metadata that is normally a signal of integrity.
  4. Payload execution: The 28 KB payload activates when an AI coding agent opens the package, harvesting credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations.
  5. Lateral movement: The worm spreads through cloud infrastructure to infect additional developer machines.

The exploitation of SLSA provenance is particularly significant: it subverts a control specifically designed to provide supply-chain integrity guarantees, turning a trust signal into a vector for credential legitimisation.

Framework Mapping

  • AML.T0010 (ML Supply Chain Compromise): Packages distributed through official Microsoft repositories are poisoned prior to developer consumption, directly targeting AI-assisted development pipelines.
  • AML.T0012 (Valid Accounts): Compromised Microsoft publisher credentials enable legitimate-looking package releases that bypass automated defences.
  • AML.T0047 (ML-Enabled Product or Service): The trigger condition — opening packages inside AI coding agents — specifically weaponises agentic AI workflows.
  • LLM05 (Supply Chain Vulnerabilities): The attack exploits trusted package repositories as an entry point into developer and AI agent environments.
  • LLM08 (Excessive Agency): AI coding agents with broad filesystem and network permissions amplify the blast radius when a malicious package is executed.

Impact Assessment

Developers using AI coding agents to consume Microsoft open source packages are at highest risk. Any machine where an affected package was opened by an agent should be treated as fully compromised. Cloud credentials across all major providers, Kubernetes configurations, and secrets stored in password managers are in scope for exfiltration. The worm’s lateral movement capability means initial compromise of a single developer machine can propagate across an entire cloud-connected organisation.

Mitigation & Recommendations

  • Assume compromise: Any developer or pipeline that interacted with the 73 flagged packages via an AI agent should initiate full incident response immediately.
  • Rotate credentials: Invalidate and rotate all cloud provider credentials, OIDC tokens, and secrets on affected systems.
  • Restrict agent permissions: AI coding agents should operate under least-privilege principles with sandboxed execution environments; prevent agents from executing package install hooks without human approval.
  • Do not rely solely on SLSA provenance: This attack demonstrates that valid provenance attestation is not sufficient to confirm integrity when upstream credentials are compromised.
  • Monitor for lateral movement: Audit cloud access logs for anomalous API calls originating from developer machines.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.