73 Microsoft packages secretly contain data‑stealing code, AI Agent gets hit as soon as it opens them

Second time in two weeks, Microsoft-related NPM packages were implanted with credential stealers, 73 repositories disabled. This time, the attacker targeted AI coding agents—the malicious code only triggers when the Agent parses the package, making traditional manual reviews almost ineffective.
Second Incident in Two Weeks
Less than two weeks after the previous round of Microsoft-related NPM packages were infected by the "Shai-Hulud" worm, on June 7 Ars Technica reported: another 73 NPM packages bearing the Microsoft name were implanted with credential stealers, and the affected repositories have been batch disabled.
What’s more disturbing this time is the trigger condition — the malicious code doesn’t run when developers manually execute npm install, but the moment an AI Agent opens the package, it self-replicates and starts running. This means teams that treat Cursor, Claude Code, Copilot Workspace as part of their daily productivity may, without doing anything themselves, end up handing over their GitHub tokens, Azure credentials, and npm publishing keys all at once.

What This Attack Looks Like
According to security researchers, the attack chain roughly goes like this:
- Entry: Attackers obtained credentials persisted from previous Shai-Hulud campaigns, reentered GitHub organizations under Microsoft / Azure, focusing on the
durabletaskecosystem (Azure Durable Functions relies on it). - Implant: Inserted five seemingly harmless configuration files containing a worm module, dubbed "Miasma" by researchers, into 73 packages.
- Trigger: The malicious payload’s entry point is not a
postinstallscript but fields in the package metadata that AI coding agents parse while "reading package descriptions/example code." In other words, once the agent loads this package into context, the self-replicating stealer starts running. - Lateral Spread: Stolen npm tokens were immediately used to publish more contaminated versions, worm-like propagation.
Compared to traditional typosquatting (impersonating package names), this approach is far more sophisticated. These packages are genuine, officially published, with real download counts, giving developers no reason to suspect them.
Why AI Agents Became the Perfect Carrier
In the past, supply chain poisoning discussions focused on script execution during the install phase. Now the problem is AI Agents have a much broader attack surface:
- They actively fetch. If you tell an agent "show me how to use the durabletask package," it will fetch the README, examples, and source code into its context. Attackers only need to embed prompt injection in these fields, and the agent might be hijacked.
- They have credentials. An agent that can run
npm publish, push to GitHub, and call Azure CLI is essentially carrying the full keychain of the development environment downstream from the LLM output. - They are unattended. The promise of agentic workflows is "unattended operation," but precisely because no one is watching, malicious actions can run for a long time before being discovered.
Microsoft’s own AI Red Team published a taxonomy of AI Agent system failure modes earlier this year, specifically highlighting such new threats — memory poisoning, indirect prompt injection, control flow hijacking. At the time these were just lab PoCs; now they’re being used in real production environments.
Same Group as Previous Shai-Hulud?
Based on code fingerprints, highly likely. Ars Technica cited researchers noting that the stealer module used in these 73 packages is highly similar to the Shai-Hulud campaign active since September:
- Same logic to avoid systems set to Russian language
- Same destructive behavior selectively deleting random files on systems located in Israel or Iran
- Same C2 communication callback structure
The difference is that this round changes the trigger condition to "AI Agent parsing," clearly iterating in response to the large-scale adoption of agentic development workflows in the past half-year. The attackers are following industry trends.
Scope and Response
Microsoft has already taken the following actions:
- Disabled the 73 affected repositories
- Revoked related npm publishing permissions
- Submitted a CVE entry to GitHub Security Advisory Database
- Recommended that teams which interacted with
durabletaskecosystem packages via AI Agents in the past 30 days immediately rotate all cloud credentials
If you’re a development team, here are some short-term measures you can take:
- Credential minimization: Don’t let Agents use personal PATs directly; at least use short-lived OIDC tokens.
- Outbound network control: Restrict which domains the Agent container can send requests to—stealer-type attacks rely heavily on external connections.
- Package source inspection: Even if an official organization publishes the package, check signatures and see if the release time is abnormal. In this case, contaminated versions were patch versions pushed within hours of the original release.
- Agent context isolation: When letting Agents read package documentation, run them in a sandbox and don’t share the host’s keyring directly.
An Uncomfortable Assessment
Supply chain issues in the NPM ecosystem are nothing new, but this "AI Agent as a springboard" pathway doesn’t yet have a mature defense paradigm. npm audit can’t detect it — because the code itself doesn’t call child_process or read .env, it simply returns a string, leaving it to the LLM to decide whether to execute. This passes the ball to model vendors and Agent framework developers, a layer that is currently almost completely unprotected.
Microsoft reacted quickly this time, but similar incidents will very likely occur on a monthly basis in the coming months. Developers need to start treating "AI Agent trust boundaries" as seriously as OS permissions when designing systems.
References
- NPM poisoning causes 73 Microsoft repositories to be disabled; the supply chain worm from April is still spreading — Zhihu: Technical breakdown and timeline overview from the Chinese community on this incident



