Miasma worm poisons 73 Microsoft GitHub repos, including azure-functions-host
Miasma worm poisons 73 Microsoft GitHub repos, including azure-functions-host
AI Sec News Weekly #12 — 400 sources scanned
We keep hardening the places users download from and forget the places developers copy from. Registries get signatures and quarantine; source repos get a green check and infinite trust. That asymmetry is why upstream poison works so well: builders read first, verify later—if at all.
AI and automation widen the gap. Agents, templates, and CI pull code and config straight from whatever “source of truth” we point them at. In that world, provenance isn’t a file format, it’s a permission model: who can change the thing your robots read. One worm reminded us this week. The details are below.
This Week's Stories
Miasma worm mass-poisons 73 Microsoft GitHub repos, skips registries
Miasma, a Mini Shai‑Hulud variant, hit 73 Microsoft repos across Azure, Azure‑Samples, Microsoft, and MicrosoftDocs; GitHub has disabled access to projects including Azure/azure‑functions‑host. The campaign re‑compromised the durabletask PyPI package and planted a 4.3MB runner wired to auto‑execute via Claude Code, Gemini CLI, Cursor, VS Code, or npm test. Attackers even skipped registries, committing the payload directly to icflorescu/mantine‑datatable and related repos.
Why it matters: Code commits that auto‑run in IDEs and AI coding agents turn plain Git clones into wormable execution events, so registry hygiene no longer buys you safety.
HTTP/2 Bomb chains HPACK and Slowloris; nginx 1.29.8 ships fix
Calif’s Quang Luong, with OpenAI Codex assisting, chained an HPACK compression bomb with a Slowloris‑style hold to create an HTTP/2 “bomb” that drops servers from a single host. Default configs of nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora are affected; nginx fixed it in 1.29.8 and Apache mod_http2 in v2.0.41 (CVE‑2026‑49975). PoCs are public; a lone client held ~32GB on Apache and Envoy in ~20 seconds.
Why it matters: AI‑assisted chaining of legacy bugs means every public fix diff is now a recipe for a fresh, high‑amplification DoS.
The Register Security by Jessica Lyons
Trail of Bits walks through trivial bypasses of agent skill scanners
Trail of Bits bypassed ClawHub’s malicious‑skill detector, Cisco’s skill‑scanner, and all three scanners integrated into skills.sh with trivial evasion and light prompt injection. Their trailofbits/overtly‑malicious‑skills repo shows four PoCs built in under a day that still pass marketplace checks and can hijack agents or exfiltrate credentials. The post details tricks like newline/truncation games and SKILL.md instructions that fire once installed.
Why it matters: Static scanners miss prompt‑borne intent, so public skill stores behave more like malware swaps than vetted ecosystems.
Trail of Bits by Samuel Judson
Tool Spotlight
New repos and releases worth trying.
Microsoft Agent Governance Toolkit: deterministic policy, identity, and audit for agents
Microsoft open-sourced the Agent Governance Toolkit (AGT) as a public preview. It’s a Python 3.10+ package (pip install agent-governance-toolkit[full]) and plugin that adds policy enforcement, zero‑trust identity, sandboxing, and tamper‑evident logs. AGT intercepts each tool call/message/delegation, evaluates YAML policy (govern(my_tool, policy="policy.yaml")), and raises GovernanceDenied on block. It targets the OWASP Agentic Top 10 and moves control out of prompts.
Why it matters: Agent behavior becomes deterministic infrastructure: disallowed actions never leave the process and every allowed one has an owner and a receipt.
SABER tests coding agents by what they break, not what they say
SABER benchmarks operational safety of LLM coding agents in realistic, stateful projects. Instead of refusal scores, it judges the final workspace after multi‑step edits and commands, and labels violations by cause. In tests, even the best model logged a >54% harmful safety‑violation rate. Code and tasks ship in a public repo (sssr‑lab/saber).
Why it matters: Refusal metrics are a poor stand‑in for operational risk when agents can quietly corrupt a codebase over dozens of steps.
MicroPython-in-WASM sandbox lands for Datasette Agent (0.1a0)
Simon Willison released datasette-agent-micropython 0.1a0, embedding MicroPython in a WebAssembly sandbox as an agent tool. The goal: let Datasette Agent generate and execute Python with real isolation instead of exec-on-host. Early claim: GPT‑5.5 has failed to escape the sandbox so far. It’s an alpha, but the containment story is concrete and testable.
Why it matters: WASM‑sandboxed MicroPython makes “run arbitrary Python” a constrained, portable runtime instead of RCE roulette.
Community Chatter
What practitioners are debating.
DBIR + Keep Aware: Shadow AI surge, browser phish dodge controls
Keep Aware, a 2026 DBIR contributor, argues attacks now live in the browser: 67% of users access AI with personal accounts on corporate devices and 45% are regular AI users. Its telemetry says over half of prompts go to personal accounts, 23% of sensitive uploads bypass corp accounts, and 63% of Microsoft‑themed phish were unflagged; DBIR ties 39% of breaches to credential abuse. Critics question vendor bias; responders say the numbers mirror what they see daily.
Why it matters: Identity and AI data flows increasingly originate and end in the tab, sidelining network and endpoint controls that never see the event.
BleepingComputer by Keep Aware
Snyk argues compile-time security beats AI-era bug fixing
Snyk’s Stephen Thoemmes argues that prompting AI to write secure code isn’t enough. Instead, developers should use type systems and secure-by-design libraries to make entire classes of vulnerabilities impossible to compile or type-check. Drawing on Rust’s success in eliminating most memory safety bugs at compile time, he explores how techniques like trusted types, capability-based APIs, and strict type constraints could prevent common web vulnerabilities from being introduced by humans or LLMs alike.
Why it matters: As AI accelerates software creation, shifting security controls from code review and scanning to compile-time guarantees could dramatically reduce the volume of vulnerabilities generated in the first place.
Snyk by Stephen Thoemmes
Quick Hits
- Researchers Demo AI-Powered Internet Worm With Onboard LLM (Schneier on Security) — Prototype worm carries its own LLM to exploit, pivot, and persist across hosts.
- macOS Malvertising Pushes FlutterShell Backdoor With AI Exfil (Palo Alto Unit 42) — Malvertising drops a Flutter app with a JS‑native bridge that exfiltrates data using AI summarization.
- President Trump Signs AI Security Executive Order (Bluesky (@ericjgeller.com)) — New EO adds a voluntary government model‑review window before releases.
- Meta AI Support Abused for High-Profile Instagram Takeovers (Krebs on Security) — Attackers used Meta’s AI support bot to reset passwords and hijack Instagram accounts until an emergency fix landed.