Just to clarify, and I know you weren't saying they are related, but this has absolutely nothing to do with AI or vibe coding or manager code.

It's a continuation of the Shai Halud worm and the lack of security around developer dependnecy installations, which has existed for a very long time.

Hackers have figured out that developers themselves are an ideal target due to how easy it is to trick them into installing something and how much private information they have on their machines (creds, cloud clis, mcps, etc.).

> Now in many places it is encouraged by coders and managers to vibe stuff on their own devices. Soon or later it will become a problem, especially for those that have no idea what they are doing.

Yes in our place too. "You better do as much as possible with AI or you will be left behind" dogmas etc.

It's the stupid IoT hype all over again. No concern for security, just trying to be the first in the pack.

I argued for years that we had too few workers for our total project count and management argued that most projects were idle and so it was fine to have so many per worker.

Welp.

Do you mean that role based access control (RBAC) should be replaced by something else? Or that just the specific RBAC models in use are broken?

I personally think the, perhaps confusingly named, capability based security models are the way of The Future.

> Now in many places it is encouraged by coders and managers to vibe stuff on their own devices. Soon or later it will become a problem, especially for those that have no idea what they are doing.

Idiots must suffer.

one could also vibe-code vanilla, no dependencies.

TechCrunch is very sloppy and unreliable. I’ve seen them reporting on things I worked on where they just invented facts for SEO purpose and there is no way to get them to correct

What's your post mortem, then? As in - what happened and how should it be read?

> > This is Microsoft’s second known breach over the past few weeks that has allowed hackers to compromise its open source projects, per Ars Technica.

> I, like many others love to knock on Microslop when I can, but in this case they did the right thing.

I've no idea what your problem with this sentence is. They have an organisational security problem, aided/demonstrated by lack of effort to effectively lockdown GitHub Actions and allowing MRs to circumvent CI/CD.

That this is a Microsoft problem that was present pre-AI is not up for debate. See https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...

In the age of AI, it's now endemic and being weaponised.

I created a mitigation tool that can be used to fix/remove the worm from all infected repositories, and did a writeup about this.

On Monday, the Hades campaign introduced Composer, Go and Pip support. Before that it had only support for NPM and AI assistant editors. (Well, and Ruby btw but nobody uses Rubygems anymore it seems).

What even Microsoft gets wrong: This is the first worm that runs on all platforms in the code ecosystem. Developer host machines, servers, ci/cd runners. And all of them spread the worm to all repositories that are accessible on those machines.

You would have to completely shutdown 100% of all computers AND aws ec2 AND google cloud platform AND azure AND kubernetes clusters AT THE SAME TIME to beat this worm. It literally spreads across all infrastructure.

Kill switch, as always with APT28 malware, is setting the host language to ru_RU.KOI8-R (LANG environment variable). That disables the spread mechanism.

My Mitigation Tool (I'm updating it as new package systems are targeted ...):

https://github.com/cookiengineer/antimiasma

Blog post:

https://cookie.engineer/weblog/articles/malware-insights-mia...

It feels to me like AI agents should be their own security principals and use access tokens generated speficically for them on the repos or orgs that they need access to. Handing an AI agent an access token "minted" for a human's account feels to me like the new "write the password on a post-it".

If classic PATs were to blame, doesn't this mean further private repos could be at risk as well? (apart from the GitHub ones the other day).

You are correct but the issue is permission management with finegrained tokens is nighmare. It is not easy to decide what is correct and what is needed for some operation. Furthermore, often software devs think it is important to focus on code rather than permissions - as it is for someone else's responsibility....

I use classic tokens on low-privileged accounts for scraping public repos. I suppose organization level permissions would work fine for me.

It is almost impossible to set up personal Microsoft accounts that does not allow passwordless login. So what is more likely to have happened is that your account is set up like this and you are just getting MFA requests that are not a second factor, but simply an attempt to get access to your account.

I was getting multiple of these a day and found that if you set up the Microsoft Authenticator app from a phone, it will force it to passwordless if you have any type of lock on your phone (facial, fingerprint, pin). The only way around it is to disable all of those while setting up the account in the authenticator app. I don't use my Microsoft account much, so just use a separate e-mail now for verification instead of the authenticator app.

The fact that this is how it works is of course insane, but I'm guessing someone inside of Microsoft is hitting their KPIs for passwordless logins or something...

In some organizations I've worked at, the multi-factor prompt would occur regardless of the password validity (wastes more of the attacker's time). Is that the case with Microsoft? I'm not sure.

AI harnesses were exploited, here's why it's actually good for AI.

> Do they don't have any code reviews?

I have a good friend that works for one of the giants(I can't say which one for obvious reasons but S&P 500). He's been working there for quite a while now, so far he hasn't seen what the project he works on looks like, has the repo cloned and knows what language is used but nothing beyond that. Everything is slopped together. His project is the authentication and authorization system for all the company products. In his own words "I hit Tab all day long and write 'this is intended' in the reviews, which are all ai, there is no human in the loop. This is what we are told to do by the CEO and CTO unironically. If something breaks, no one knows how any of this works since no one has seen the actual code. Our performance reviews are based on how many tokens we've used, not what we have done". I suspect this is the case in many companies now so it's not unreasonable to think that there are no actual code reviews.

Many of the malicious commits show as an author `github-actions <github-actions@github.com>`. Which means that they are authenticating as internal github CI/CD stuff and that there are so many of those that no possible automated tool can find the poison in the mountain of chaff.

So this is related to the Sept 2025 security breach of Github.

> The five repos carry 1,459 GitHub stars between them, mantine-datatable alone accounting for 1,225. Stars are a rough proxy for how many developers have the source checked out locally, which is the population this attack targets.

> Every commit: unsigned, github-actions identity, chore: update dependencies [skip ci], the same six-file footprint. A 49-second sweep across five repos is automation, not a human committing. This matches Shai-Hulud self-propagation: harvest a GitHub token with write access from a prior infection, then push the persistence payload into every repo the token can reach.

https://safedep.io/miasma-worm-ai-coding-agent-config-inject...

What it is doing: https://safedep.io/config-files-that-run-code/

I'm not related to those guys. That's the simplest detailed explanation of what is happening that I've found.

Coworker seriously asked "since we're generating most of our code now, who is actually reading all of the code?" We're at a small company, but the urge to trust The Oracle is almost spiritual with some people IMHO.

I read 90%+ of the code I generate by reviewing it like I would a junior developer. I'm heavily vibe-coding a new feature right now and it's going to get a thorough reading as soon as GitHub's PRs start working again

if an account with the ability to push to the repo was taken over, there wouldn't be any PR review.

You mean the company that failed their 2023 security review? [0]

> Individually, any one of the failings described above might be understandable. Taken together, they point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security.

Microsoft’s products and services are ubiquitous. It is one of the most important technology companies in the world, if not the most important. This position brings with it utmost and global responsibilities. It requires a security-focused corporate culture of accountability, which starts with the CEO, to ensure that financial or other go-to-market factors do not undermine cybersecurity and the protection of Microsoft’s customers.

> Unfortunately, throughout this review, the Board identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management. These decisions resulted in significant costs and harm for Microsoft customers around the world.

> The Board is convinced that Microsoft should address its security culture.

[0] https://www.cisa.gov/resources-tools/resources/CSRB-Review-S...

The root of trust in Secure Boot is typically an OEM certificate, not Microsoft's, which is probably even worse: https://www.binarly.io/blog/pkfail-untrusted-platform-keys-u...

In any case, you're free to remove Microsoft's certificates and enroll your own.

More like "forced to accept" rather than "trust".

This latest event just continues Microsoft's track record of being a security problem rather than having their shit together. :(

No one should be foolish enough to trust Microsoft with anything regarding security. They showed time and time again over the past 40 years that they don't care.

What do you mean 'we'? :-)

Docker isn’t a serious sandboxing strategy

> https://github.com/ashishb/amazing-sandbox

Does your Docker backend run commands in rootless containers? I skimmed the code but didn't see anything to confirm this.

Is there a detection component here too? Sandboxing development is great, but the next step is to deploy to production. How do you know if something malicious happened in the sandbox, such that you don't deploy the malware further?

> Nobody should do 'npm install' or 'pip install' on their machine.

What alternative do you suggest?

Do you mean not install outside a sandbox?

a friend of mine has a very different solution: he codes everything by hand. he says that the time you need to research to include a new package you can actually use to code the piece you need. and he for sure doesn't have the problems of transitive dependencies

> keep your SBOM strict

Based on the news, seems like it is better to not include Microsoft at all in there.

https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-... mentions that it plants `.claude/settings.json`, `.gemini/settings.json`, `.cursor/rules/setup.mdc`, and `.vscode/tasks.json` to execute its payload as a setup task.

VSCode will be used by plenty of non-AI-using developers, and the credential harvester is not specific to AI API tokens, but that 3/4 of the targets are AI coding tools is I assume where the claim comes from.

> you can skip the slop and read the real information here: (link that is obviously written by AI)

Do I remember correctly when techcrunch was charging $10k per month for a square banner on its website, 2005? And that was considered the top, for a tech blog. Even then they posted slop.

AI;DR:

Azure (49)

azure-functions-agents-runtime azure-functions-connector-extension azure-functions-core-tools azure-functions-docker azure-functions-dotnet-extensions azure-functions-dotnet-worker azure-functions-durable-extension azure-functions-durable-js azure-functions-durable-powershell azure-functions-durable-python azure-functions-extension-bundles azure-functions-golang-worker azure-functions-host azure-functions-java-library azure-functions-java-worker azure-functions-kafka-extension azure-functions-language-worker-protobuf azure-functions-mcp-extension azure-functions-nodejs-e2e-tests azure-functions-nodejs-library azure-functions-nodejs-opentelemetry azure-functions-nodejs-worker azure-functions-openai-extension azure-functions-powershell-library azure-functions-powershell-opentelemetry azure-functions-powershell-worker azure-functions-python-extensions azure-functions-python-library azure-functions-python-worker azure-functions-rabbitmq-extension azure-functions-skills azure-functions-sql-extension azure-functions-templates azure-functions-tooling-feed azure-functions-vs-build-sdk azure-webjobs-sdk azure-webjobs-sdk-extensions azure-websites-security checkaccess-v2-go-sdk Connectors-NET-LSP Connectors-NET-Samples Connectors-NET-SDK Connectors-NodeJS-SDK connectors-python-sdk durabletask functions-action functions-container-action homebrew-functions sonic-gnmi.msft

microsoft (10)

DurableFunctionsMonitor durabletask-dotnet durabletask-go durabletask-java durabletask-js durabletask-mssql durabletask-netherite durabletask-protobuf Microsoft-Performance-Tools-Apple secure-azureai-agent

Azure-Samples (13)

azure-ai-content-understanding-python azure-container-apps-multi-agent-workflow azure-container-apps-sandboxes azure-functions-java-flex-consumption-azd azure-functions-nodejs-opentelemetry-samples azure-search-openai-demo-purviewdatasecurity functions-connectors-python functions-connectors-typescript llm-fine-tuning openai-chat-app-entra-auth-builtin openai-chat-app-entra-auth-local rag-postgres-openai-python tutor

MicrosoftDocs (1)

windows-driver-docs

That makes for a funny tongue in cheek comment, but it's not MS's AI they're after, it's end user secrets, and the exploits target multiple LLMs. (by adding commands to relevant MD files)

I haven’t worked on any web app in months, I don’t use LLMs, I update my Linux system once a month, and I increasingly feel I should just not do anything, not install or update any software and for the love of God, do not touch anything that’s shipped with npm.

Most of my userspace apps are in Flatpak sandboxes (yeah they are not great), but otherwise it feels like isolation and airgapping is the most sensible solution for now, and it’ll get increasingly worse unless the vibe coders somehow learn how to write robust software.

It’s like during the black plague: the (software) world has become dangerous, we have no way to contain it, it is unfeasible to remove yourself completely from the world, so you better pray really hard you don’t catch the bug and infect your peers. How’s that for a field we used to call software engineering or computer science?

It was never safe to begin with, that is why the security community has been screaming for resources since the 80s.

We are ever-faster approaching the Anti Singularity, the moment when everything "tech" implodes and progress screeches to a halt.

Downloading OpenBSD and going off-grid. How about you?

getting deeper and deeper. the question is what goes one when breaches reach opensource-based stuff running nuclear reactors. i'd be concerned.