For the 2nd time in weeks, Microsoft packages laced with credential stealer
For the 2nd time in weeks, Microsoft packages laced with credential stealer
几周内第二次:微软软件包被植入凭据窃取程序
Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding agents. In all, multiple researchers said, 73 packages were flagged as malicious when automated systems on GitHub blocked them on the platform. 上周末,微软数十个经过加密验证的开源软件包遭到篡改,被植入了一种高级凭据窃取代码。当开发人员在 AI 编程代理(AI coding agents)中打开这些包时,恶意代码便会被触发。多位研究人员表示,GitHub 的自动化系统在平台上拦截了这些包,总计有 73 个软件包被标记为恶意软件。
Rather than noting they are malicious—and that developers who used AI agents to work with them should assume their systems are compromised—the Microsoft-owned GitHub said it disabled the packages “due to a violation of GitHub’s terms of service.” The text went on to encourage the package owner to contact GitHub. 微软旗下的 GitHub 并未明确指出这些包具有恶意,也未提醒使用 AI 代理处理这些包的开发人员应假设其系统已被入侵,而是仅表示禁用这些包是“由于违反了 GitHub 的服务条款”。随后,GitHub 还建议软件包所有者联系平台方。
Devs: Assume compromise and proceed accordingly
开发人员请注意:假设系统已被入侵并采取相应措施
It wasn’t until Monday that Microsoft even raised the possibility the packages were infected. In an email, the company stated: “We have temporarily removed some repositories as we investigate potential malicious content.” The incident is the second supply-chain attack in as many months to breach an official Microsoft repository account. 直到周一,微软才提出这些软件包可能已受感染的可能性。该公司在一封电子邮件中表示:“我们已暂时移除了一些存储库,以调查潜在的恶意内容。”这是两个月内第二次发生针对微软官方存储库账户的供应链攻击。
In mid May, the firm StepSecurity documented the compromise of Microsoft’s durabletask Python SDK on PyPI. The package is a framework for building fault-tolerant workflows and orchestrations to automate distributed transactions and other workflows. It receives 400,000 downloads per month.
今年 5 月中旬,安全公司 StepSecurity 记录了微软在 PyPI 上的 durabletask Python SDK 遭入侵的事件。该软件包是一个用于构建容错工作流和编排的框架,旨在自动化分布式事务及其他工作流,每月下载量达 40 万次。
The compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. 这些被篡改的软件包会执行一个 28 KB 的有效载荷,窃取来自 AWS、Azure、GCP、Kubernetes、密码管理器以及 90 多种开发工具配置的凭据。随后,它会通过云基础设施进行横向传播,感染其他开发人员的机器。
The attack, which has been linked to a threat actor tracked as TeamPCP, poisoned the durabletask package after compromising Microsoft credentials for publishing the package. The technique allows attackers to bypass the repository’s build pipeline entirely.
此次攻击被关联至名为 TeamPCP 的威胁组织。他们在窃取了微软用于发布软件包的凭据后,对 durabletask 包进行了投毒。这种技术使攻击者能够完全绕过存储库的构建流水线。
The malware used in the attack is tracked as Miasma. It’s essentially a clone of TeamPCP’s Mini Shai-Hulud toolkit, which the threat actor open-sourced recently. Security firm Cloudsmith said the malware harvests OIDC (OpenID-Connect) token credentials that are used in SLSA (Supply-chain Levels for Software Artifacts) provenance attestation, a method for providing cryptographically signed guarantees of a software’s integrity. 攻击中使用的恶意软件被追踪为“Miasma”。它本质上是 TeamPCP 最近开源的“Mini Shai-Hulud”工具包的克隆版。安全公司 Cloudsmith 表示,该恶意软件会窃取用于 SLSA(软件制品供应链级别)溯源认证的 OIDC (OpenID-Connect) 令牌凭据,这是一种为软件完整性提供加密签名保证的方法。
As was the case in the May compromise of Microsoft’s durabletask, the one last week made use of the functionality to steal a legitimate Microsoft OIDC token. It was also used in a separate supply-chain attack poisoning dozens of Red Hat packages.
正如 5 月份微软 durabletask 被入侵的情况一样,上周的攻击也利用了该功能来窃取合法的微软 OIDC 令牌。该手段此前还被用于另一起针对红帽(Red Hat)数十个软件包的供应链攻击中。
“The genius of this Miasma worm lies in how it adhered to legitimate workflows,” Cloudsmith said. “It does not exploit any software vulnerability in GitHub or npm. Instead, it exploits the underlying trust model of the modern engineering ecosystem.” “Miasma 蠕虫的‘天才’之处在于它如何遵循合法的开发工作流,”Cloudsmith 评价道,“它没有利用 GitHub 或 npm 中的任何软件漏洞,而是利用了现代工程生态系统中底层的信任模型。”
The company continued: Compromised dev creds led to a legitimate GitHub OIDC token being requested. This was followed by a malicious build being published with valid SLSA provenance, which ultimately led to conventional scanners seeing it as a routine trusted update. By stealing legitimate maintainer credentials, the worm was able to act exactly as an authenticated publisher would have. 该公司补充道:被窃取的开发人员凭据导致系统请求了一个合法的 GitHub OIDC 令牌。随后,一个带有有效 SLSA 溯源信息的恶意构建版本被发布,这最终导致常规扫描器将其视为常规的受信任更新。通过窃取合法维护者的凭据,该蠕虫能够完全模拟已认证发布者的行为。
Furthermore, Miasma generates a uniquely encrypted payload for each individual infection. This means traditional hash-based IOCs are functionally useless for broad detection, as the file signature changes with every single package version. 此外,Miasma 会为每次感染生成一个唯一加密的有效载荷。这意味着传统的基于哈希的入侵指标(IOC)在广泛检测中几乎无效,因为文件签名会随着每个软件包版本而改变。
Andrew McNamara of Red Hat explained in a dedicated blog post where SLSA’s boundaries fall short. While previous iterations of the Mini Shai-Hulud malware have focused purely on local secret scraping, the Miasma worm appears to have advanced data collectors specifically engineered for cloud identities in GCP and Azure. It attempts to harvest every cloud identity the infected developer machine and CI/CD runners have access to, proving a clear intent from the threat actors to leverage access away from the codebase and directly into live cloud environments. 红帽公司的 Andrew McNamara 在一篇专题博客中解释了 SLSA 的局限性。虽然 Mini Shai-Hulud 恶意软件的早期版本仅专注于本地密钥抓取,但 Miasma 蠕虫似乎拥有专门针对 GCP 和 Azure 云身份的高级数据收集器。它试图窃取受感染的开发人员机器和 CI/CD 运行器所能访问的所有云身份,这证明了威胁行为者有着明确的意图:将攻击范围从代码库直接扩展到实时云环境。
The credential-stealing function in the Miasma worm infecting the Microsoft packages was triggered as soon as a developer opened it in AI agents, including Claude Code, Gemini CLI, Cursor, and VS Code. Follow-on attacks are likely to occur in the highly feasible event that credentials were successfully harvested from machines that opened the packages in one of the affected AI agents. 感染微软软件包的 Miasma 蠕虫中的凭据窃取功能,在开发人员于 AI 代理(包括 Claude Code、Gemini CLI、Cursor 和 VS Code)中打开这些包时便会立即触发。如果凭据确实从这些打开了软件包的机器中被成功窃取,那么后续攻击极有可能发生。
The Microsoft GitHub account compromised in the May attack is the same one used late last week. The explanation for this double compromise isn’t currently known. It may mean that Microsoft failed to fully change credentials for the account. It might also be the result of an unknown package run on a Microsoft developer machine that stole the new credentials. Microsoft isn’t providing details at the moment. 5 月份攻击中被入侵的微软 GitHub 账户与上周被入侵的是同一个。目前尚不清楚为何会发生两次入侵。这可能意味着微软未能完全重置该账户的凭据,也可能是因为微软开发人员的机器上运行了某个未知软件包,从而窃取了新凭据。微软目前尚未提供详细信息。
The self-replicating cryptographic verification of the malicious packages and the ability to bypass hash-based detection make the attacks difficult to detect. And as the subsequent compromise of the same Microsoft account shows, these breaches can be hard to fully remediate. Anyone who touched any one of the 73 packages—listed here—should drop whatever else they’re doing and thoroughly investigate, lest there are any compromised credentials that will be used in future attacks. 恶意软件包的自我复制加密验证能力以及绕过基于哈希检测的能力,使得这些攻击难以被发现。正如同一微软账户再次被入侵所显示的那样,这些漏洞可能难以彻底修复。任何接触过这 73 个软件包(列表在此)的人,都应放下手头工作进行彻底调查,以免有任何被窃取的凭据被用于未来的攻击。