Hackers hijack Microsoft packages to steal developer logins
Security researchers have discovered credential-stealing malware in dozens of Microsoft open-source software packages.
-
Malware was found in Microsoft open-source repositories, making them look legitimate while hiding credential theft code.
-
The malware aimed to steal passwords, API keys, and tokens from developer machines, especially via AI coding tools.
-
The “Miasma” worm could spread automatically and harvest credentials at scale across systems.
-
The breach follows similar incidents on platforms like PyPI, showing rising supply-chain attacks on developers.
On June 5th, GitHub disabled 73 Microsoft repositories across 4 of its GitHub organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. They all went down in a 105-second automated sweep.
According to security researchers, these were cryptographically verified packages, making them appear legitimate and trustworthy. Instead, they were infected with malicious code designed to collect passwords, authentication tokens, API keys, and other login credentials stored on developers’ computers as soon as they opened certain AI-assisted coding tools.
In response, GitHub said that it had disabled the packages “due to a violation of GitHub’s terms of service.” It wasn’t until Monday that Microsoft stated that packages were infected with credential-stealing malware.
“We have temporarily removed some repositories as we investigate potential malicious content,” Microsoft said in an email addressed to software developers, according to Ars Technica.
The malware used in the attack was dubbed “Miasma” and is described as a self-replicating worm designed to harvest login credentials from developer environments. Once collected, these credentials could potentially be used to compromise source code repositories and cloud infrastructure.
Have thoughts about this topic? Others do, too. Join them in the discussion.
The discovery comes weeks after another security incident involving Microsoft-related software packages. In May, the Python Package Index (PyPI), a repository of software for the Python programming language, temporarily halted the admission of new users and projects after an influx of malware on the platform.
“The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion. While we re-group over the weekend, new user and new project registration is temporarily suspended,” PyPI said in a statement at the time.
Check if your data has been leaked
The malware campaign was connected to a threat group called TeamPCP. The gang, also known as PCPcat, DeadCatx3, ShellForce, and CipherForce, emerged in late 2025 and is known for targeting software tools and services that developers and organizations trust to steal login credentials. Stolen credentials can be used for data theft, extortion, ransomware deployment, cryptocurrency mining, or sold to other criminals.
Details about TeamPCP’s members, location, and structure remain largely unverified in the cybersecurity community.
Unlock more exclusive Cybernews content on YouTube.
