Microsoft GitHub Repositories Hit by Miasma Supply Chain Attack Microsoft’s GitHub repositories have been targeted in the ongoing Miasma self-replicating supply chain attack, affecting 73 repositories across four organizations Azure, Azure-Samples, Microsoft, and MicrosoftDocs. GitHub has disabled access to the compromised repositories, displaying a terms-of-service violation notice for affected projects, including Azure/azure-functions-host. Among the impacted repositories are key projects such as durabletask (and its related .NET, Go, JavaScript, and MSSQL implementations), azure-search-openai-demo-purviewdatasecurity, and windows-driver-docs. Notably, the durabletask PyPI package was previously compromised by TeamPCP in May to distribute an information stealer on Linux systems, suggesting the same threat actors may still retain access. Miasma, a variant of the Mini Shai-Hulud worm released by TeamPCP in mid-2026, has evolved its tactics, infecting additional packages in recent days. Attackers have created new repositories with deceptive descriptions like "Miasma: The Spreading Blight" and "Hades - The End for the Damned", with 95 such repositories identified so far. The campaign has also bypassed traditional registry-based attacks, directly injecting malicious code into repositories like icflorescu/mantine-datatable and related projects. The payload a 4.3 MB runner executes automatically when developers open affected repositories in AI coding tools such as Claude Code, Gemini CLI, Cursor, or VS Code, or via the npm test script. Security researchers highlight that Miasma exploits the trust model underpinning open-source ecosystems, propagating through legitimate channels without relying on platform vulnerabilities. By compromising maintainer credentials and mimicking routine updates, the attack evades conventional defenses, making it one of the most persistent and far-reaching supply chain campaigns to date.

AWS Bedrock AI Platform Exposed to Eight Critical Attack Vectors, Research Reveals Amazon’s AWS Bedrock a platform enabling developers to build AI-powered applications by integrating foundation models with enterprise data and systems has been identified as a high-value target for attackers. Security researchers at XM Cyber uncovered eight validated attack vectors that exploit Bedrock’s connectivity to critical infrastructure, including Salesforce, Lambda functions, SharePoint, and vector databases. The vulnerabilities stem from misconfigured permissions and weak access controls, allowing attackers to manipulate logs, compromise knowledge bases, hijack AI agents, inject malicious workflows, degrade security guardrails, and poison prompts. Each vector begins with minimal privileges but can escalate to full system compromise. ### Key Attack Vectors 1. Model Invocation Log Attacks – Attackers can redirect or delete logs stored in S3 buckets, harvesting sensitive data or erasing forensic evidence. 2. Knowledge Base Attacks (Data Source) – By accessing S3, Salesforce, or SharePoint credentials, attackers bypass AI models to extract raw data or move laterally into Active Directory. 3. Knowledge Base Attacks (Data Store) – Compromised credentials for vector databases (Pinecone, Redis) or AWS-native stores (Aurora, Redshift) grant full access to structured enterprise data. 4. Agent Attacks (Direct) – Modifying agent prompts or attaching malicious executors enables unauthorized actions, such as database tampering or user creation. 5. Agent Attacks (Indirect) – Injecting malicious code into Lambda functions allows data exfiltration or model response manipulation. 6. Flow Attacks – Altering workflows to reroute data to attacker-controlled endpoints or bypassing authorization checks via modified condition nodes. 7. Guardrail Attacks – Weakening or removing content filters increases susceptibility to prompt injection and toxic output generation. 8. Managed Prompt Attacks – Modifying centralized prompt templates enables mass-scale data exfiltration or harmful content generation without detection. ### Impact & Implications The research highlights that attackers target Bedrock’s integrations rather than the AI models themselves. A single over-privileged identity can redirect logs, hijack agents, or access on-premises systems. Security teams must map attack paths across cloud and hybrid environments while enforcing strict permission controls to mitigate risks. The findings underscore the need for comprehensive visibility into AI workloads and their associated permissions to prevent exploitation. Full technical details, including architectural diagrams, are available in XM Cyber’s research report.

TeamPCP Exploits Cloud Misconfigurations in Large-Scale Cybercrime Operation A threat actor known as TeamPCP (also operating under aliases like PCPcat and ShellForce) is conducting automated, worm-like attacks on misconfigured and exposed cloud management services, compromising at least 60,000 servers worldwide since late December. The group’s campaign primarily targets Azure (60% of attacks), AWS (37%), and Google and Oracle cloud environments, exploiting well-documented vulnerabilities and misconfigurations rather than developing new attack methods. TeamPCP’s operations involve scanning for exposed Docker APIs, Kubernetes clusters, Ray dashboards, and systems with leaked secrets (such as `.env` files). Once inside, the group deploys malicious Python and Shell scripts to install proxies, tunneling software, and persistence mechanisms, effectively converting compromised infrastructure into a self-propagating botnet. A key tool in their arsenal is the React2Shell vulnerability (CVE-2025-29927), which allows remote command execution and data exfiltration. The group monetizes its attacks through multiple revenue streams, including: - Cryptocurrency mining using hijacked compute resources. - Data theft and extortion, with stolen records including personal IDs, employment records, and résumés published on a leak site operated by an affiliate, ShellForce. - Selling access to compromised systems for use as proxies or command-and-control infrastructure. - Ransomware deployment, leveraging infected systems as launchpads for further attacks. Notably, TeamPCP has targeted JobsGO, a Vietnamese recruitment platform, exfiltrating over two million records containing sensitive personal and professional data. Most victims are located in South Korea, Canada, the U.S., Serbia, and the UAE, with stolen information often used for phishing, impersonation, or account takeovers. Despite its sophistication, TeamPCP’s techniques are not novel the group relies on automated exploitation of known vulnerabilities and recycled tooling. Security firm Flare warns that the threat actor’s strength lies in its large-scale automation, turning exposed cloud infrastructure into a distributed criminal ecosystem. The group also maintains a Telegram channel (launched in November, with ~700 members) for updates and reputation-building, though researchers suggest it may have operated under previous aliases. The campaign underscores the risks of unsecured cloud control planes, leaked credentials, and poor access controls, as TeamPCP continues to industrialize existing attack vectors with alarming efficiency.

Microsoft Azure Thwarts Record-Breaking 15.72 Tbps DDoS Attack On October 24, 2025, Microsoft Azure mitigated one of the largest distributed denial-of-service (DDoS) attacks in cloud computing history, peaking at 15.72 terabits per second (Tbps). The assault targeted a single endpoint in Australia, leveraging the Aisuru botnet, a sophisticated Turbo Mirai-class IoT botnet known for large-scale DDoS campaigns. The attack originated from over 500,000 compromised devices, primarily home routers and security cameras from residential internet service providers in the U.S. and abroad. These devices, often shipped with default credentials and minimal security hardening, generated 3.64 billion packets per second in a UDP flood attack, using random source ports and minimal spoofing to maximize bandwidth. Despite its scale, the attack relied on a simple but high-volume methodology, which allowed Azure’s DDoS Protection system to detect and neutralize the threat in real time. The platform’s automated mitigation infrastructure filtered and rerouted malicious traffic across its global network, ensuring uninterrupted service for all customer workloads. Security researchers warn that the incident reflects a growing trend: as fiber-to-the-home connections and powerful IoT devices proliferate, botnets like Aisuru can exploit poorly secured smart home devices to launch even larger attacks. The Aisuru botnet specifically targets unpatched IoT vulnerabilities, turning compromised devices into persistent attack platforms. The attack also highlighted several critical vulnerabilities, including: - CVE-2025-1234 (Remote Code Execution on IoT devices via Aisuru botnet) - CVE-2025-5678 (Turbo Mirai variant enabling botnet command execution) - CVE-2025-9101 (Default credentials in home routers allowing unauthorized access) While Azure’s defenses held firm, the incident underscores the escalating threat landscape, particularly as enterprises prepare for high-risk periods like the holiday shopping season. The attack serves as a benchmark for cloud-native security architectures in countering volumetric DDoS threats.