Security researchers have discovered credential-stealing malware in dozens of Microsoft open-source software packages.

On June 5th, GitHub disabled 73 Microsoft repositories across 4 of its GitHub organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. They all went down in a 105-second automated sweep.

According to security researchers, these were cryptographically verified packages, making them appear legitimate and trustworthy. Instead, they were infected with malicious code designed to collect passwords, authentication tokens, API keys, and other login credentials stored on developers’ computers as soon as they opened certain AI-assisted coding tools.

In response, GitHub said that it had disabled the packages “due to a violation of GitHub’s terms of service.” It wasn’t until Monday that Microsoft stated that packages were infected with credential-stealing malware.

“We have temporarily removed some repositories as we investigate potential malicious content,” Microsoft said in an email addressed to software developers, according to Ars Technica.

The malware used in the attack was dubbed “Miasma” and is described as a self-replicating worm designed to harvest login credentials from developer environments. Once collected, these credentials could potentially be used to compromise source code repositories and cloud infrastructure.

The discovery comes weeks after another security incident involving Microsoft-related software packages. In May, the Python Package Index (PyPI), a repository of software for the Python programming language, temporarily halted the admission of new users and projects after an influx of malware on the platform.

“The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion. While we re-group over the weekend, new user and new project registration is temporarily suspended,” PyPI said in a statement at the time.

The malware campaign was connected to a threat group called TeamPCP. The gang, also known as PCPcat, DeadCatx3, ShellForce, and CipherForce, emerged in late 2025 and is known for targeting software tools and services that developers and organizations trust to steal login credentials. Stolen credentials can be used for data theft, extortion, ransomware deployment, cryptocurrency mining, or sold to other criminals.

Details about TeamPCP’s members, location, and structure remain largely unverified in the cybersecurity community.

---

Unlock more exclusive Cybernews content on YouTube.