The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Tuesday 9 June 2026

The Worm That Ate Microsoft's GitHub: How 73 Packages Became a Trap for AI Developers

Microsoft's own GitHub repos were hijacked to spread credential-stealing malware targeting AI developers — and the Miasma worm that did it is still shapeshifting.

Lead story

The Worm That Ate Microsoft's GitHub: How 73 Packages Became a Trap for AI Developers

GitHub nuked more than 70 of Microsoft's own code repositories on Monday after attackers embedded a self-replicating credential stealer — dubbed the Miasma worm — across packages used by AI coding agents. The malware ran automatically the moment an AI agent opened an infected package, then spread itself to further repos, hunting for cloud secrets and API keys. Microsoft took the unusual step of pulling its own repos offline to contain the damage. It's the second such incident in a matter of weeks, which is not a coincidence — it's a pattern.

The attack is significant for a few reasons beyond the headline. First, the victim here wasn't some under-resourced organisation — it was Microsoft, one of the biggest operators of developer infrastructure on earth. If their own open-source tooling can be compromised this way, the implied risk to the broader ecosystem of teams pulling Microsoft's Azure and AI coding packages is considerable. Second, the malware specifically targeted the moment an AI agent opened a package. That's a meaningful evolution: attackers are designing payloads for the new automated, agent-driven development workflows rather than waiting for a human to run something.

Why this matters beyond the incident itself. Supply chain attacks on package repositories are not new — SolarWinds, XZ Utils, the earlier Shai-Hulud PyPI campaigns also in today's news — but the Miasma worm adds a self-replication capability that makes it categorically nastier than a poisoned package sitting passively waiting to be installed. Worms spread. The goal here was cloud secrets: API keys, tokens, and credentials that unlock cloud infrastructure, AI services, and downstream systems.

The timing is also notable. VS Code just announced a two-hour delay on extension auto-updates this week specifically to slow supply chain attacks. That's a good step, but it addresses a slightly different vector — Miasma didn't ride in via a VS Code extension; it came through the repos developers trust for Microsoft's own tools.

For Australian developers and security teams, the risk is real and direct. Azure is one of the dominant cloud platforms used across Australian enterprise and government. Teams using Microsoft's open-source AI tooling — particularly those running automated agent-based development pipelines — should audit recently installed packages and rotate any credentials that may have been exposed. The Australian Signals Directorate's Essential Eight mitigation strategies include application control and patching, but neither cleanly addresses the "worm inside a trusted package" threat model. This is an argument for software composition analysis (SCA) tooling in every CI/CD pipeline, not just periodic audits.

What to watch: Whether the Miasma worm is linked to a known threat actor (attribution is still unclear), how many organisations had cloud credentials exfiltrated before Microsoft pulled the repos, and whether GitHub introduces platform-level controls to detect self-replicating behaviour in published code. The worm is described as still shapeshifting, which suggests defenders haven't seen its final form yet.

Also today

NSO Group Allegedly Defied a Court Order. Meta Is Now Seeking Contempt.

Meta says it caught the NSO Group running fresh spear-phishing campaigns against WhatsApp users — despite a permanent federal court injunction explicitly barring NSO from doing exactly that. WhatsApp disrupted the attacks, which used malicious links designed to redirect targets to external sites controlled by the spyware vendor. Meta is now filing a contempt-of-court motion. This is notable not just for the audacity of it, but because it tests whether US courts can actually enforce injunctions against a foreign commercial spyware firm. NSO has argued in past proceedings that its government clients — not NSO itself — are responsible for how Pegasus is deployed. That defence is going to be harder to run when the phishing infrastructure appears to be NSO's own.

The Hacker News

Check Point VPN Zero-Day Was Being Exploited for a Month Before a Patch Existed

A critical flaw in Check Point's Remote Access VPN — tracked as CVE-2026-50751, CVSS 9.3 — was being actively exploited from as early as May 7, a full month before a patch landed. The vulnerability is a logic flaw in certificate validation that lets an unauthenticated remote attacker bypass passwords entirely on deployments using the deprecated IKEv1 protocol. At least one Qilin ransomware affiliate has been blamed for attacks in the wild. Check Point has now issued fixes, but the month-long head start for attackers is a damaging detail. Organisations still running IKEv1 configurations — often inherited legacy deployments — should treat this as urgent. Check Point's Remote Access VPN is widely deployed in Australian enterprise environments.

Dark Reading

The 'Hades' Campaign Puts a New Spin on PyPI Supply Chain Attacks

A campaign called Hades has compromised 19 science-focused Python packages on PyPI — collectively downloaded hundreds of thousands of times — delivering malware designed to steal developer credentials and secrets. Dark Reading reports this as an evolution of the persistent Shai-Hulud supply chain threat, this time hitting 37 PyPI wheels and 19 code packages aimed at the scientific Python community. The targeting of science-focused packages is a deliberate choice: researchers and data scientists are less likely to have enterprise security tooling watching their development environments, and their cloud credentials often unlock significant compute resources. Australian research institutions and universities using PyPI packages in data science pipelines should treat this as a prompt to audit dependencies.

Dark Reading

Linux Kernel Use-After-Free: One Character, Root Access, Exploit Now Public

A working public exploit is now available for CVE-2026-23111, a use-after-free vulnerability in the Linux kernel's nf_tables packet-filtering code. The flaw lets an unprivileged local user escalate to root and break out of containers. It was patched upstream in February, but Exodus Intelligence published a full technical walkthrough on June 8 — meaning any unpatched system now has a detailed recipe for exploitation sitting in the public domain. The "one character" label refers to how minimal the triggering condition is. The real concern is containerised environments: if an attacker already has a foothold inside a container, this vulnerability provides a clean escape path. Linux underpins most Australian cloud and government infrastructure; patch status should be verified urgently.

The Hacker News

China-Linked VerdantBamboo Deploys BSD Variant of BRICKSTORM Backdoor

Volexity has attributed a new wave of cyber espionage activity to VerdantBamboo, a China-linked threat cluster that overlaps with groups Microsoft tracks as Clay Typhoon. The actor is deploying a BSD-variant of the BRICKSTORM backdoor — previously seen only on Linux — alongside two additional malware families called PLENET and AGENTPSD on Linux appliances. The expansion to BSD systems is a significant operational escalation: it suggests the group is broadening its targeting to network appliances and specialised infrastructure that often run BSD-based operating systems. This fits the broader pattern of Chinese APT activity moving beyond Windows endpoints into the network edge — routers, firewalls, and VPN concentrators — where visibility is lowest.

The Hacker News

Apple Unveils Siri AI and Auto-Password Fixing at WWDC 2026

Apple's WWDC keynote delivered a substantive Siri overhaul — rebranded as 'Siri AI' — powered by a two-tier model architecture that includes Google's Gemini under the hood for heavier tasks. The headline security feature is an Apple Intelligence-powered capability that automatically detects compromised or weak passwords and rotates them in Safari without user intervention. It's genuinely useful and lowers the friction on one of the most stubborn security hygiene problems in consumer computing. The broader iOS 27 and macOS 27 Golden Gate updates also include expanded parental controls, AI-powered home camera analysis, and system-wide dictation. macOS 27 drops Intel Mac support entirely, drawing the curtain on Apple's x86 era. Australian iPhone and Mac users will see these updates roll out this northern-hemisphere autumn.

TechCrunch AI

Anthropic Calls for an Industry-Wide AI 'Pause' Mechanism

Anthropic has published a proposal asking AI labs to develop coordinated mechanisms that would allow a verifiable industry-wide pause in AI development if risks reach a defined threshold. The proposal includes the idea of letting labs verify that rivals have actually stopped or slowed — addressing the obvious problem that a unilateral pause just hands advantage to whoever keeps going. It's a more operationally serious proposal than most AI safety calls to action, though it faces a fundamental collective-action problem: it requires buy-in from competitors, including Chinese labs, who have no particular reason to agree. Australia's AI safety policy is still developing; the government's interim AI governance framework doesn't yet address frontier-model risk thresholds of this kind.

SecurityWeek

OpenAI Is Rethinking ChatGPT as a Gateway, Not a Destination

OpenAI is internally framing a major ChatGPT redesign around the idea that 'chat is dead' — meaning the simple back-and-forth text interface is a commodity, and the product's future lies in being a launchpad to higher-margin agentic products and services. The redesign is tied to pre-IPO positioning: OpenAI wants to demonstrate it can monetise beyond subscriptions. This fits the broader 'tokenpocalypse' trend we covered earlier this week — as inference costs rise, the business model needs to shift from volume to value-add. It's also a direct response to Apple's Siri AI announcement; OpenAI does not want to be the engine that powers someone else's interface.

Ars Technica

VS Code Adds Two-Hour Buffer on Extension Updates to Slow Supply Chain Attacks

Microsoft has quietly introduced a two-hour delay between when a VS Code extension is published and when it gets pushed to users via automatic updates. The idea is to create a window for detection: if a malicious update is caught in the first two hours after publication, it can be pulled before most users install it. It's a sensible, low-friction mitigation for the kind of supply chain attack where a legitimate extension is compromised and a bad update is pushed. It won't stop a determined attacker who can afford to wait, and it does nothing for users who manually update or install extensions outside the auto-update mechanism. But as a default-on safety net, it's a meaningful improvement.

The Hacker News

Australia's Home Affairs Is Having an Internal 'Conversation' About Adopting AI

The Department of Home Affairs has opened an internal discussion about adopting three categories of AI tools, according to iTnews, as the department's CIO also grapples with broader prioritisation challenges across its technology portfolio. Home Affairs sits at the sensitive intersection of immigration, border security, and national security data — making its AI adoption decisions particularly consequential from a privacy and algorithmic accountability standpoint. Australia's employment services sector is simultaneously submitting AI deployment plans to DEWR, with those plans facing scrutiny on privacy, cybersecurity, and automated decision-making grounds. The pattern across both stories: Australian government agencies are moving toward AI adoption faster than the policy frameworks governing that adoption are maturing.

iTnews

Europe Is Systematically Replacing American Tech — and It's Accelerating

WIRED has compiled a detailed timeline of European governments, public institutions, and corporations that are actively migrating away from US Big Tech platforms — covering cloud infrastructure, productivity software, and AI services. The drivers are a mix of post-Snowden sovereignty concerns, GDPR enforcement risk, and a sharper political edge following Trump-era trade tensions. The scale is striking: it's no longer fringe governments experimenting with open-source alternatives, it's mainstream procurement policy in multiple EU member states. For Australian technology policy, this is directly relevant: Australia faces similar digital sovereignty questions, and the European precedent is increasingly cited in domestic debates about cloud concentration risk and SOCI Act obligations for critical infrastructure.

WIRED Security

Sources consulted