Microsoft's open source packages were compromised for the second time in weeks, with attackers injecting credential-stealing malware into 73 cryptographically verified packages. The malicious code activated when developers opened these packages in AI coding agents, potentially compromising their systems through automated workflows.

GitHub's response raised alarms among security researchers. Rather than clearly labeling the packages as malicious, the Microsoft-owned platform removed them for terms of service violations and encouraged the package owner to contact support. Microsoft didn't publicly acknowledge the compromise until days later, stating repositories were temporarily removed during investigation.

The attack deployed a 28 KB payload called Miasma that harvests credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tools. It spreads laterally through cloud infrastructure to infect additional machines. The malware specifically targets OIDC tokens used in software provenance attestation, allowing attackers to bypass repository build pipelines entirely.

Linked to threat actor TeamPCP, this incident mirrors a May attack on Microsoft's durabletask Python SDK, which receives 400,000 monthly downloads. The same technique previously poisoned Red Hat packages, demonstrating how legitimate credentials enable supply chain compromises across major tech vendors.