Attackers Compromised Extra Than 70 Microsoft Repositories in Underneath 2 Minutes
Safety researchers stated a fast-moving supply-chain assault linked to the “Miasma” worm hit Microsoft’s developer ecosystem Friday, spreading by code repositories tied to Azure cloud instruments.
See Additionally: AI Impersonation Is the New Arms Race-Is Your Workforce Ready?
Security researchers said the attack spread to more than 70 repositories Friday in under two minutes, forcing the temporary disabling of Azure Functions-related repositories and development workflows. The incident affected repositories across the Azure, Azure-Samples and Microsoft repositories, including projects tied to Azure Functions and Microsoft’s Durable Task framework.
Researchers at StepSecurity said attackers used a beforehand compromised contributor account to push malicious code into Microsoft’s Azure ecosystem. The assault triggered an automatic marketing campaign designed to contaminate builders who interacted with affected repositories by synthetic intelligence-assisted coding instruments.
GitHub disabled 73 repositories as a part of its response, based on researchers monitoring the incident. The repositories have been restored after Microsoft and GitHub accomplished an preliminary investigation and eliminated the malicious code.
The incident is the newest obvious growth of the Miasma marketing campaign, a supply-chain operation based mostly on self-replicating malware posted on-line by the TeamPCP menace actor, the group answerable for the Mini Shai-Hulud toolkit rampaging over JavaScript and Python code repositories (see: Flurry of Provide-Chain Software program Library Assaults).
The attackers planted malicious configuration recordsdata designed to execute code when repositories have been opened utilizing AI coding instruments resembling Claude Code, Cursor, Gemini CLI and different AI-powered coding assistants, based on the researchers.
The assault focused the belief relationships and automation options more and more embedded inside fashionable software program growth workflows. Researchers stated the malicious payload was designed to steal credentials, authentication tokens and developer secrets and techniques from contaminated techniques.
Earlier variations of the Miasma marketing campaign have focused cloud credentials, Kubernetes configurations, password supervisor information and supply code repositories.
Researchers additionally instructed the newest incident seems linked to a earlier compromise involving Microsoft’s durabletask Python package deal. Earlier reviews indicated attackers inserted credential-stealing malware into the package deal after compromising a maintainer account.
StepSecurity researchers stated the incident could also be linked to an earlier compromise of the durabletask Python Azure process scheduler – though the precise path used to entry the affected repositories stays underneath investigation.
Open-source malware researchers additionally said the assault unfold quickly by Microsoft’s growth ecosystem after attackers modified repository configuration recordsdata generally inherited throughout initiatives. The method allowed the malicious code to focus on dozens of repositories in a matter of seconds.
Microsoft didn’t instantly touch upon the incident. GitHub has not publicly disclosed further particulars concerning the scope of the compromise or whether or not any downstream organizations have been affected.
Researchers urged organizations that cloned affected repositories or used impacted Azure Capabilities elements to evaluate growth environments for indicators of compromise, rotate doubtlessly uncovered credentials and confirm the integrity of native repositories.