Thursday , July 2 2026

73 Microsoft Packages Compromised in Password Stealer Attack

GitHub disabled 73 repositories in four Microsoft groups: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. Each repo now shows GitHub’s “This repository has been disabled. Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service” banner.

The size and timing suggest that abuse detection is done automatically, not by individuals taking items down one by one. This affects main Azure Functions operations and the supply-chain systems used in many CI pipelines.

India asks WhatsApp not to roll out ‘username’ feature over fraud concerns

The Indian government issued a notice WhatsApp planned to roll out its new 'username' feature. They are worried about fake...
Read More
India asks WhatsApp not to roll out ‘username’ feature over fraud concerns

Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI), compromising...
Read More
Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Chrome Update Patches 382 Vulnerabilities, Including 15 Critical

Chrome 151 has a new update that fixes 382 security problems. This includes 15 critical issues that could allow attackers...
Read More
Chrome Update Patches 382 Vulnerabilities, Including 15 Critical

Apple fixes more than 30 iOS, macOS, and Safari flaws

Apple released security updates on Monday for iOS, macOS, and Safari. These updates fix more than thirty issues, including four...
Read More
Apple fixes more than 30 iOS, macOS, and Safari flaws

Attackers exploit critical flaw in Oracle E-Business

Attackers are now using a flaw (called CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial app, according to the security...
Read More
Attackers exploit critical flaw in Oracle E-Business

WhatsApp to allow usernames instead of phone numbers

WhatsApp is about to release a big update that may change how people communicate on the app. Soon, users can...
Read More
WhatsApp to allow usernames instead of phone numbers

Linux Unveils New Open Source Security Project “Akrites” For (OSS) Ecosystem

The Linux Foundation said on Thursday that they are starting a new project to fix flaws in open source software...
Read More
Linux Unveils New Open Source Security Project “Akrites” For (OSS) Ecosystem

Data breach affects 14.2 million email logins across six ISPs

KDDI Corporation, a Japanese telecom company, revealed a data breach. Hackers got into one of its email systems that five...
Read More
Data breach affects 14.2 million email logins across six ISPs

Asian Two AI startups launch Mythos-like Model

Two Asian AI companies have released new models this week that compete with Anthropic’s recently limited Mythos and Fable models,...
Read More
Asian Two AI startups launch Mythos-like Model

Polymarket Hack Reportedly Results in $3 Million Theft

Polymarket is a platform for prediction markets using cryptocurrency. It lets users bet on what might happen in real-life events...
Read More
Polymarket Hack Reportedly Results in $3 Million Theft

The biggest flaws happened in the Azure group: 49 repositories stopped working, including azure-functions-host, azure-webjobs-sdk and extensions, language workers (Node.js, Python, Java, PowerShell, .NET, Go), azure-functions-core-tools, container tools, the Homebrew tap, and the functions-action and functions-container-action GitHub Actions.

Losing functions-action is very disruptive because many workflows use it through a tag like Azure/functions-action@v1. When it goes away, those pipelines stop working and global CI fails until users switch to fixed commit SHAs or other deployment methods.

73 Microsoft Packages Weaponized

The repeated use of the same repo group in another takedown shows that the first leak of credentials was never completely fixed.

Azure-Samples removed 13 repositories that were for AI and agent demos, fine-tuning examples, and connectors. Several Microsoft repositories for documents and tools were also turned off, showing that rules were applied to whole organizations instead of just one team.

The full list of affected repositories is available in public reports and community compilations shared by security researchers and Microsoft Learn discussion threads.

Why this matters: beyond convenience, this appears tied to a supply-chain weaponization wave. In late May, TeamPCP’s Mini Shai-Hulud toolkit was forked into public variants (notably “Miasma”) that added Azure and GCP credential collectors.

Miasma was seen affecting npm and other packages and stealing passwords to put them in attacker-made public repositories. The worm-like action of creating repos and saving stolen secrets is exactly what makes GitHub’s automatic abuse systems react, leading to the 105-second mass shutdown.

While we can’t say for sure that the Miasma activity on June 1 caused the takedown on June 5, the similar tactics and the Azure collectors being involved make it likely.

Immediate mitigations for teams: stop using changeable action tags and fix Azure actions to specific commit SHAs; change credentials and tokens that a thief might target (Azure CLI tokens, managed-identity tokens, GitHub Actions OIDC tokens, and package registry publish keys).

Check organizations for any public repositories or JSON files that have secrets. Look at builds for signs of Miasma, like preinstall scripts that call Bun using a hidden _index.js loader. Also, use different ways to deploy, such as Azure CLI, Azure DevOps, or Zip Deploy, until the affected actions are fixed.

This event highlights an important fact about cloud development: CI/CD and package registries are key targets for attacks.

Even well-off organizations can be tripped up by stolen automation passwords, and automated actions can cause major unwanted damage.

Security teams should think of action credentials as very important secrets. They need to secure workflow publish paths and use unchangeable references to lower risk in future supply-chain problems.

Check Also

Cloudflare

Hackers Target Cloudflare-Hosted AWS Domains to Steal Console Logins

A complex phishing attack targets AWS console users by misusing Cloudflare-hosted websites to steal login …