RU version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
50% Positive
Analyzed from 5831 words in the discussion.
Trending Topics
#azure#microsoft#functions#security#code#github#https#access#don#own
Discussion (177 Comments)Read Original on HackerNews
Again, I am not saying it is related but I think it has an impact.
Now in many places it is encouraged by coders and managers to vibe stuff on their own devices. Soon or later it will become a problem, especially for those that have no idea what they are doing.
I am not saying it is related but I feel that it coincides perfectly.
I just cannot believe there is no underlaying thread going through all of these recent supply chain issues, and yes there are some hacking groups that specialise in this, sure, but it is because the bounty is plentiful.
It's a continuation of the Shai Halud worm and the lack of security around developer dependnecy installations, which has existed for a very long time.
Hackers have figured out that developers themselves are an ideal target due to how easy it is to trick them into installing something and how much private information they have on their machines (creds, cloud clis, mcps, etc.).
You have tools from large corporations where the official installation procedure involves copy pasting a command from a random blog post, run it with sudo and watch it download and execute a script from a random filehost. This is somehow deemed acceptable by everyone involved.
Meanwhile I can't use teams in our meeting rooms, since any form of internet access was deemed a security risk in rooms where customer projects could be discussed. This is in a day and age where 90% of customer meetings are done over the internet.
Anyone trying to follow sane practices in this industry just asks to end up in a padded cell.
I hope this is in jest. Are you saying in order to discuss any customer project you have to book a meeting room? So no discussions of customer projects at the open plan desks or even in your boss' office for fear that something might overhear that conversation? Or is this only when the customer happens to be on-site to discuss their project? Does your organization assign U.S. Military style NICKA code names to everything?
By some, not all. It's been crazy from the start and it is still crazy to pipe a script to bash!
Same as it ever was.
Yes in our place too. "You better do as much as possible with AI or you will be left behind" dogmas etc.
It's the stupid IoT hype all over again. No concern for security, just trying to be the first in the pack.
Welp.
Unfortunately, most developers don't like them so it is a though sell.
You make it sound like you are surprised, but everyone who has tried this knows it's crap and a band aid at best.
Edit: I realize in hindsight this comes across as overly negative. I think those are great solutions to have available for when you are working with a suboptimal local setup for whatever reason. I just don't think they're the default choice let alone any sort of ideal to strive for.
You could argue this is probably on GitHub for creating a token here that gives blanket access to all repos vs a scoped token for just the repo.
I am against proprietary SAAS online in browser dependencies.
I personally think the, perhaps confusingly named, capability based security models are the way of The Future.
Gonna be a hard nut to crack to implement this across the supply chain.
Transitive dependencies are a bitch.
Idiots must suffer.
I am not saying vibe coding is the issue. The issue is that a typical developer might be working on a lot more projects that run concurrently then they used to. And because of the various nature of the project the risk is significantly increased.
Scale this across the workforce and you not just doubled the problem.
In the end it can just be a culture thing. A dev who was going to write docs and tests before is going to have a LLM generate docs and tests today. Same with safe practices and defensive coding. The machine does whatever you want from it, for most that's "just get the job done I don't care". So that's the output.
Then, which I find the most amusing, proceeds to blame MicroSlop for the attempted suuply chain attack,
> Microsoft did not immediately provide the specific number of customers affected, when asked by TechCrunch.
Yeah, because that's how open source works. Tech crunch doing hard work no not explain that.
> This is Microsoft’s second known breach over the past few weeks that has allowed hackers to compromise its open source projects, per Ars Technica.
I, like many others love to knock on Microslop when I can, but in this case they did the right thing. The article phrases it like they did everything wrong, they're all at fault and shame on them for limiting the breach.
This is not the first time I've seen an article from Zack Whittaker that just rubbed me the wrong way.
> steal passwords of AI developers
This phrasing has it's own connotations. AI developers versus developers who use AI?
> This is the latest example in recent months of hackers breaching widely popular open source projects with the aim of planting malware on a large number of users who have the code installed on their computers. These hacks are known as “supply chain” attacks as they target code that is often used in a large number of software products, or by a specific kind of user, which may be advantageous to hack as they sometimes have access to cloud systems and large amounts of customers’ data.
Describes literally nothing of what a supply chain attack is, just the result of one and the reasons for their attack surface.
Very very bad reporting in my opinion. Bad breach, and I hate to admit M$ did the safe and right thing, but this 'reporting' leaves a lot to be desired.
> I, like many others love to knock on Microslop when I can, but in this case they did the right thing.
I've no idea what your problem with this sentence is. They have an organisational security problem, aided/demonstrated by lack of effort to effectively lockdown GitHub Actions and allowing MRs to circumvent CI/CD.
That this is a Microsoft problem that was present pre-AI is not up for debate. See https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...
In the age of AI, it's now endemic and being weaponised.
No argument from me, but what would you have them do in the immediate timeframe ?
They can publish self-congratulatory stuff like this: https://www.microsoft.com/en-us/security/blog/2026/06/05/sec... but they can't publish a post-mortem on their own platform?
I'm told that when Affirmed got compromised Microsoft Security descended on the org and rewrote their entire backlog. Where is the plan from GitHub that they are now taking security seriously given GitHub Actions is now a primary threat vector even for projects written by their own company.
* https://news.ycombinator.com/item?id=48418318 (The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds)
* https://news.ycombinator.com/item?id=48450543 (Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents)
* https://news.ycombinator.com/item?id=48416155
* https://news.ycombinator.com/item?id=48416269 (Miasma Worm Targets AI Coding Agents via GitHub Repos)
On Monday, the Hades campaign introduced Composer, Go and Pip support. Before that it had only support for NPM and AI assistant editors. (Well, and Ruby btw but nobody uses Rubygems anymore it seems).
What even Microsoft gets wrong: This is the first worm that runs on all platforms in the code ecosystem. Developer host machines, servers, ci/cd runners. And all of them spread the worm to all repositories that are accessible on those machines.
You would have to completely shutdown 100% of all computers AND aws ec2 AND google cloud platform AND azure AND kubernetes clusters AT THE SAME TIME to beat this worm. It literally spreads across all infrastructure.
Kill switch, as always with APT28 malware, is setting the host language to ru_RU.KOI8-R (LANG environment variable). That disables the spread mechanism.
My Mitigation Tool (I'm updating it as new package systems are targeted ...):
https://github.com/cookiengineer/antimiasma
Blog post:
https://cookie.engineer/weblog/articles/malware-insights-mia...
If you are going to be handing tokens to AI agents on weird openclaw contraptions, you should try to use the fine grained variants. My GitHub account spans 3 organizations with wildly differing policies. The fact that classic tokens are even still allowed blows my mind a bit. You should be required to manually opt in each organization at a minimum.
Agreed. I went further and turned that into its own isolated virtual machine. The credentials problem is really annoying though. AI agents need the access in order to be useful.
Give each dev's AI agent its own identity with its own access controls and tokens and everything.
It helps solve both the access control and attribution issues
Of course, it is only their employees that are impacted instead of their bottom line, they might be more tolerant?
Why isn't it standard to have a security log that shows what permissions were requested, with what scope, so we can at least create a minimal set of permissions by trying an operation, seeing what permissions are necessary, and then setting just the needed permissions? If you're worried about that log itself becoming a compromise, make it something that is off by default, and maybe automatically turns off after some period of time, or make me use a burner token for this operation, or something, but the alternative is the world of excessively-broad permissions that we live in now. Why isn't there a helper mode that a dev can use to point at an interaction and say "now give me minimal permissions for those interactions", not only to configure a given key but so we can learn what permissions actually mean in practice?
We're given these super complicated knobs, but all we get for using them is a few textual blurbs about the settings and the blame if we don't configure them exactly correctly, and also the blame if something breaks because we were too tight with the permissions.
This seems such a basic tool to use these super complicated systems yet I've never seen them anywhere on the web.
Perhaps ironically, perhaps just because it was already complicated enough and needed a way to approach usable, the notoriously difficult to use SELinux uses this as the more-or-less standard way of setting permissions. I can't believe I'm missing SELinux.
I was getting multiple of these a day and found that if you set up the Microsoft Authenticator app from a phone, it will force it to passwordless if you have any type of lock on your phone (facial, fingerprint, pin). The only way around it is to disable all of those while setting up the account in the authenticator app. I don't use my Microsoft account much, so just use a separate e-mail now for verification instead of the authenticator app.
The fact that this is how it works is of course insane, but I'm guessing someone inside of Microsoft is hitting their KPIs for passwordless logins or something...
Also, the title is misleading, setup adds config to be auto executed by people who work on the repo. They would have to use vscode/cursor/claude/gemini. People who use codex / opencode / other harnesses are safe I guess.
Details: https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-...
I have a good friend that works for one of the giants(I can't say which one for obvious reasons but S&P 500). He's been working there for quite a while now, so far he hasn't seen what the project he works on looks like, has the repo cloned and knows what language is used but nothing beyond that. Everything is slopped together. His project is the authentication and authorization system for all the company products. In his own words "I hit Tab all day long and write 'this is intended' in the reviews, which are all ai, there is no human in the loop. This is what we are told to do by the CEO and CTO unironically. If something breaks, no one knows how any of this works since no one has seen the actual code. Our performance reviews are based on how many tokens we've used, not what we have done". I suspect this is the case in many companies now so it's not unreasonable to think that there are no actual code reviews.
When that boost disappears after the IPOs, everything will crash.
Don't threaten me with a good time(also unironically).
I can’t think of any obvious reason other than this being embellished / made up? Those companies have tens of thousands of employees you aren’t going to “out” anyone by naming the company.
So this is related to the Sept 2025 security breach of Github.
> The five repos carry 1,459 GitHub stars between them, mantine-datatable alone accounting for 1,225. Stars are a rough proxy for how many developers have the source checked out locally, which is the population this attack targets.
> Every commit: unsigned, github-actions identity, chore: update dependencies [skip ci], the same six-file footprint. A 49-second sweep across five repos is automation, not a human committing. This matches Shai-Hulud self-propagation: harvest a GitHub token with write access from a prior infection, then push the persistence payload into every repo the token can reach.
https://safedep.io/miasma-worm-ai-coding-agent-config-inject...
What it is doing: https://safedep.io/config-files-that-run-code/
I'm not related to those guys. That's the simplest detailed explanation of what is happening that I've found.
I read 90%+ of the code I generate by reviewing it like I would a junior developer. I'm heavily vibe-coding a new feature right now and it's going to get a thorough reading as soon as GitHub's PRs start working again
> Individually, any one of the failings described above might be understandable. Taken together, they point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security.
Microsoft’s products and services are ubiquitous. It is one of the most important technology companies in the world, if not the most important. This position brings with it utmost and global responsibilities. It requires a security-focused corporate culture of accountability, which starts with the CEO, to ensure that financial or other go-to-market factors do not undermine cybersecurity and the protection of Microsoft’s customers.
> Unfortunately, throughout this review, the Board identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management. These decisions resulted in significant costs and harm for Microsoft customers around the world.
> The Board is convinced that Microsoft should address its security culture.
[0] https://www.cisa.gov/resources-tools/resources/CSRB-Review-S...
[1]: https://www.microsoft.com/en-us/trust-center/security/secure...
[2]: https://cybermagazine.com/articles/how-microsoft-is-securing...
In any case, you're free to remove Microsoft's certificates and enroll your own.
This latest event just continues Microsoft's track record of being a security problem rather than having their shit together. :(
The attack vector isn't just plugins that steal your data, but also 0-day exploits in just about any software you use, and even your own web services being exploited by a script kiddy with an LLM. There will be an increase in hacks and it's only going to get worse, so anyone not investing in cyber security audits and auditing tools should really reconsider.
AI can tell you you're being zero-day'd, but that isn't much comfort - you're already expecting everyone to always be zero-day'd at all times!
What I'm seeing is that the whole security model built around endless code re-evaluation and continuous (usually online) updates is collapsing in a spectacular fashion. This is not "good for red teams" or "good for security AI". This is not good for anyone except malicious actors.
I rarely do these, but here is my prediction: doing more of the same but faster is not going to work. No matter how much AI compute people will throw at security scans and patching, the number of security incidents and the overall instability will keep going up until the underlying security model is fundamentally changed.
Really drives home this org chart: https://www.businessinsider.com/big-tech-org-charts-2011-6
Using a proper sandboxing(https://github.com/ashishb/amazing-sandbox) regularly will drastically limit the blast radius of these attacks.
Does your Docker backend run commands in rootless containers? I skimmed the code but didn't see anything to confirm this.
You can pass your favorite rootless Docker image using `--custom-docker-image` CLI parameter.
Furthermore, you can use native sandboxing on macOS if you prefer.
If neither looks serious to you, then please educate me on a better sandboxing approach.
What alternative do you suggest?
Do you mean not install outside a sandbox?
It will always introduce friction, though.
Modern software development is simply too fast to be reviewed properly.
So, amazing-sandbox at its core is nothing but a glorified docker command generator (in default mode).
If your distribution requires more than this, then it's not really a module, or combines too many non-modular components, and should be distributed differently.
The ability for npm to run scripts on any level should be removed.
Then we can go back to worrying about namespacing issues.
Even Python has that ability now. Also, `npm run dev` is running the script with full disk access.
Heck, Vscode/Cursor will auto-execute code if you open a project. And this has been actively used in the wild https://ashishb.net/security/contagious-interview/
It's like saying "I don't trust a software app with an installer, I just want a .zip with the binaries from the same source that I will run myself"
Based on the news, seems like it is better to not include Microsoft at all in there.
Azure (49)
azure-functions-agents-runtime azure-functions-connector-extension azure-functions-core-tools azure-functions-docker azure-functions-dotnet-extensions azure-functions-dotnet-worker azure-functions-durable-extension azure-functions-durable-js azure-functions-durable-powershell azure-functions-durable-python azure-functions-extension-bundles azure-functions-golang-worker azure-functions-host azure-functions-java-library azure-functions-java-worker azure-functions-kafka-extension azure-functions-language-worker-protobuf azure-functions-mcp-extension azure-functions-nodejs-e2e-tests azure-functions-nodejs-library azure-functions-nodejs-opentelemetry azure-functions-nodejs-worker azure-functions-openai-extension azure-functions-powershell-library azure-functions-powershell-opentelemetry azure-functions-powershell-worker azure-functions-python-extensions azure-functions-python-library azure-functions-python-worker azure-functions-rabbitmq-extension azure-functions-skills azure-functions-sql-extension azure-functions-templates azure-functions-tooling-feed azure-functions-vs-build-sdk azure-webjobs-sdk azure-webjobs-sdk-extensions azure-websites-security checkaccess-v2-go-sdk Connectors-NET-LSP Connectors-NET-Samples Connectors-NET-SDK Connectors-NodeJS-SDK connectors-python-sdk durabletask functions-action functions-container-action homebrew-functions sonic-gnmi.msft
microsoft (10)
DurableFunctionsMonitor durabletask-dotnet durabletask-go durabletask-java durabletask-js durabletask-mssql durabletask-netherite durabletask-protobuf Microsoft-Performance-Tools-Apple secure-azureai-agent
Azure-Samples (13)
azure-ai-content-understanding-python azure-container-apps-multi-agent-workflow azure-container-apps-sandboxes azure-functions-java-flex-consumption-azd azure-functions-nodejs-opentelemetry-samples azure-search-openai-demo-purviewdatasecurity functions-connectors-python functions-connectors-typescript llm-fine-tuning openai-chat-app-entra-auth-builtin openai-chat-app-entra-auth-local rag-postgres-openai-python tutor
MicrosoftDocs (1)
windows-driver-docs
And just like the other one, the people proposing those microlibraries knew what they were doing and had actually reasonable ideas. But masses of FAANG developers took it and run wild.
How many other OSS repos of similarly sized companies get compromised like this?
No one ever got fired for choosing IBM or AWS - but apparently Microsoft has a decades long free pass everywhere.
Insane.
What does this even mean?
The malware specifically steals passwords from developers who use AI? From those who develop AI tool? Or it steals API tokens, which serve a similar function as passwords do for humans?
Is this what journalism looks like today? Just slap the two holy letters on the title and you get views?
(Yes, I read the article. No, I still don't think the title makes sense. You can skip this techchurch slop and read the real information here: https://opensourcemalware.com/blog/miasma-reaches-azure)
VSCode will be used by plenty of non-AI-using developers, and the credential harvester is not specific to AI API tokens, but that 3/4 of the targets are AI coding tools is I assume where the claim comes from.
If the techchurch post is written by a human then I'll take this as an example that humans outslop AI.
Most of my userspace apps are in Flatpak sandboxes (yeah they are not great), but otherwise it feels like isolation and airgapping is the most sensible solution for now, and it’ll get increasingly worse unless the vibe coders somehow learn how to write robust software.
It’s like during the black plague: the (software) world has become dangerous, we have no way to contain it, it is unfeasible to remove yourself completely from the world, so you better pray really hard you don’t catch the bug and infect your peers. How’s that for a field we used to call software engineering or computer science?
Skynet is winning now.
And then go on to repeat that mistake by re-building without using the lessons from previous catastrophe(s).
Sadly that last part sounds fairly common for humans... 8-|
So yeah. Maybe. Possible.
There aren't many institutions extant today that I could trust to properly construct and operate a nuclear reactor, never mind manage nuclear waste for the next 100000 years.
The Trump government just decided that there is an acceptable level to irradiate the population by the way (abandoned the linear-no-threshold model of radiation's effects on an organism)
The connotation here being either "open source is dangerous" or "Microsoft's specific brand of open source is dangerous" -- which coincidentally provides good clickbait for both "pro-open source" and "anti open source" types.
Anyway, not reading. They should do better.