In a startling development, security researchers have reported a rapid supply-chain attack associated with the “Miasma” worm that impacted Microsoft’s developer ecosystem. Emerging on Friday, the attack has reportedly compromised over 70 code repositories linked to Azure cloud tools in a staggering timeframe of less than two minutes. This incident forced Microsoft to temporarily disable repositories tied to Azure Functions and other development workflows, demonstrating the swift and alarming nature of the breach.

The supply-chain assault has affected numerous repositories across Microsoft’s Azure ecosystem, notably those associated with Azure Functions, Azure-Samples, and various other Microsoft projects. Analysts from StepSecurity revealed that attackers exploited a previously compromised contributor account, enabling them to inject malicious code into the Azure framework. Once infiltrated, the attack launched an automated campaign specifically designed to infect developers who interacted with the compromised repositories, particularly through AI-assisted coding tools.

In response to the unfolding situation, GitHub took precautionary measures by disabling 73 repositories to mitigate the threat. Following thorough investigations by Microsoft and GitHub, those repositories were eventually restored after the malicious code was purged. This incident has been characterized as the latest chapter in the broader Miasma campaign, a supply-chain operation involving self-replicating malware propagated by a group known as TeamPCP. This collective has previously been linked to the harmful Mini Shai-Hulud toolkit, notorious for its exploits across JavaScript and Python code repositories.

Investigators noted that the attackers strategically planted malicious configuration files designed to execute code associated with AI coding tools like Claude Code, Cursor, Gemini CLI, and other similar assistants. The assailants effectively targeted the trust relationships and automation features that are becoming integral to modern software development processes. Security experts have emphasized that the malicious payload aimed to siphon off credentials, authentication tokens, and other sensitive developer secrets from the compromised systems.

Historically, earlier iterations of the Miasma campaign have sought to compromise various valuable assets, including cloud credentials, Kubernetes configurations, and sensitive information from password managers and source code repositories. In light of this incident, researchers have made connections to a prior compromise involving Microsoft’s durabletask Python package. It was previously documented that attackers had inserted credential-stealing malware into this package after taking over a maintainer account, raising significant concerns about the security of such widely-used frameworks.

The latest attack’s rapid spread through the Microsoft developer ecosystem has been aided by modifications to repository configuration files that are commonly inherited across multiple projects. This strategic approach enabled the malicious code to infiltrate numerous repositories in mere seconds, showcasing the vulnerabilities inherent in the software development lifecycle.

While Microsoft has yet to comment publicly on the incident, GitHub has refrained from disclosing further details regarding the scope of the compromise or the potential impact on downstream organizations. In light of these developments, researchers are urging organizations that may have cloned affected repositories or utilized impacted Azure Functions components to diligently review their development environments for any signs of compromise. Steps should include rotating potentially exposed credentials and verifying the integrity of local repositories to prevent further security breaches.

The implications of this incident underline the increasing risks associated with cybercrime, particularly as software development practices evolve to incorporate more automated elements and AI technologies. The rapid evolution of these threats highlights the necessity for organizations to maintain stringent cybersecurity protocols and foster an environment of vigilance to combat the ever-growing sophistication of cyber adversaries.