Microsoft closed many code folders on GitHub. They found a bad program that steals passwords.

微軟關閉了 GitHub 上的許多代碼資料夾。他們發現了一個會盜取密碼的惡意程式。

A group called TeamPCP made a bad program. This program steals passwords from cloud services. It starts when developers use AI tools to write code.

一個名為 TeamPCP 的組織製作了一個惡意程式。這個程式會從雲端服務盜取密碼。當開發者使用 AI 工具編寫代碼時，該程式就會啟動。

The bad people stole passwords from Microsoft workers. They used these passwords to put bad code into the system. Security tools did not see the problem because the code looked real.

歹徒從微軟員工處盜取了密碼。他們利用這些密碼將惡意代碼植入系統。由於代碼看起來很真實，安全工具並未發現問題。

This is the second time this happened in two months. Microsoft does not know why it happened again. Other companies like Red Hat also have this problem.

這是兩個月內第二次發生此類事件。微軟不清楚為何會再次發生。其他公司（如 Red Hat）也面臨同樣的問題。

Microsoft is still looking for answers. They told some customers about the problem.

微軟仍在尋找答案。他們已告知部分客戶關於此問題的情況。

Microsoft has disabled several open-source repositories on GitHub after discovering malware designed to steal passwords and access keys hidden within its code.

微軟在 GitHub 發現其代碼中隱藏了旨在竊取密碼和存取金鑰的惡意軟體，隨即禁用了數個開源儲存庫。

The security breach involves the Miasma worm, which was created by a group known as TeamPCP. This malware is designed to steal credentials from cloud platforms such as Azure, AWS, and Google Cloud, as well as from developer tools. The malicious code is activated when developers use AI-powered coding tools, such as Cursor or Claude Code, to interact with the compromised packages.

此次安全漏洞涉及 Miasma 蠕蟲，由一個名為 TeamPCP 的組織創建。該惡意軟體旨在從 Azure、AWS 和 Google Cloud 等雲端平台以及開發者工具中竊取憑據。當開發者使用 Cursor 或 Claude Code 等 AI 驅動的程式碼工具與受影響的套件互動時，惡意代碼將被觸發。

Technically, the Miasma worm exploits the trust system used in modern software engineering. By stealing the login details of official maintainers, the attackers obtained legitimate security tokens. This allowed them to publish malicious updates that appeared official and trusted, meaning standard security scanners did not detect them. Furthermore, the malware uses a different encryption method for every infection, making it very difficult for security teams to find using traditional detection methods.

從技術上講，Miasma 蠕蟲利用了現代軟體工程中的信任系統。攻擊者透過竊取官方維護者的登入詳細資訊，獲取了合法的安全令牌。這使他們能夠發布看似官方且值得信賴的惡意更新，導致標準的安全掃描程式無法偵測。此外，該惡意軟體在每次感染時使用不同的加密方法，使得安全團隊很難使用傳統偵測方法將其找出。

Experts suggest that this incident shows a failure in how the problem was fixed, as this is the second time the same Microsoft account has been hacked in two months. While Microsoft has not explained exactly why this happened, it may be due to a failure to change passwords or a virus on a developer's computer. Similar attack methods have also been used against Red Hat software packages.

專家指出，此次事件顯示修復過程存在失敗，因為同一個微軟帳號在兩個月內已被駭客入侵兩次。雖然微軟尚未解釋具體原因，但可能是由於未能更改密碼或開發者的電腦感染了病毒。類似的攻擊方法也曾被用於攻擊 Red Hat 的軟體套件。

Microsoft is still investigating the attack and has informed a small number of affected customers while keeping the repositories offline.

微軟仍在調查此次攻擊，已通知少數受影響的客戶，並將相關儲存庫保持離線狀態。

Microsoft has deactivated numerous open-source repositories on GitHub following the discovery of credential-stealing malware embedded within its codebases.

Microsoft 在發現代碼庫中嵌入了竊取憑證的惡意軟體後，已停用了 GitHub 上的 numerous 個開源儲存庫。

The current security breach involves the distribution of the Miasma worm, a derivative of the Mini Shai-Hulud toolkit attributed to the threat actor TeamPCP. This malware is engineered to harvest credentials from cloud environments, including Azure, GCP, AWS, and Kubernetes, as well as various developer tool configurations. The execution of the malicious payload is triggered upon the interaction of developers with the compromised packages via AI-integrated coding agents, such as Cursor, Gemini CLI, and Claude Code.

目前的安全性漏洞涉及 Miasma 蠕蟲的傳播，該蠕蟲是歸屬於威脅參與者 TeamPCP 的 Mini Shai-Hulud 工具集的衍生版本。此惡意軟體旨在從雲端環境（包括 Azure、GCP、AWS 和 Kubernetes）以及各種開發者工具配置中收集憑證。當開發者透過 AI 整合的編碼代理（例如 Cursor、Gemini CLI 和 Claude Code）與受損套件互動時，將觸發惡意載荷的執行。

Technologically, the Miasma worm leverages a sophisticated exploitation of the modern engineering trust model. By utilizing compromised maintainer credentials, the actor obtained legitimate OpenID-Connect (OIDC) tokens, enabling the publication of malicious builds with valid SLSA provenance. This methodology ensures that the compromised updates are perceived as routine and trusted by conventional security scanners. Furthermore, the malware employs unique encryption for each infection, rendering hash-based Indicators of Compromise (IOCs) ineffective for broad detection.

在技術上，Miasma 蠕蟲利用了對現代工程信任模型的複雜漏洞利用。攻擊者透過利用受損的維護者憑證，取得了合法的 OpenID-Connect (OIDC) 令牌，使其能夠發布具有有效 SLSA 來源證明的惡意建置版本。這種方法確保了受損的更新被傳統安全掃描器視為例行且可信。此外，該惡意軟體對每次感染採用唯一的加密方式，使得基於雜湊值的入侵指標 (IOCs) 在廣泛檢測中失效。

Institutional analysis indicates a systemic failure in remediation, as this incident represents the second breach of the same official Microsoft repository account within two months, following a mid-May compromise of the durabletask Python SDK. While the precise cause of this re-compromise remains unspecified by Microsoft, hypotheses include inadequate credential rotation or a secondary infection of a developer workstation. The impact extends beyond Microsoft, with similar techniques utilized in attacks against Red Hat packages.

機構分析指出，修復過程存在系統性失效，因為此事件代表同一個 Microsoft 官方儲存庫帳號在兩個月內第二次被入侵，此前在五月中旬 durabletask Python SDK 曾遭到入侵。雖然 Microsoft 尚未說明此次再次入侵的確切原因，但假設包括憑證輪換不足或開發者工作站遭受二次感染。影響範圍不僅限於 Microsoft，Red Hat 的套件在攻擊中也被使用了類似技術。

Microsoft continues to investigate the breach and has notified a limited number of affected customers while maintaining the suspension of several repositories.

Microsoft 繼續調查此次入侵，並已通知少數受影響客戶，同時維持暫停數個儲存庫的狀態。