GoKawiilA variant of the infamous Shai-Hulud worm wreaked havoc on Microsoft's code repositories, triggering disruptions to CI/CD workflows and heightening concerns about increasing software supply chain threats.
The attacks, which unfolded June 5, were first reported by Open Source Malware, an online collaboration platform for security researchers. In less than two minutes, 73 of Microsoft's GitHub repositories, primarily in the company's Azure organization, were taken offline in an automated sweep for terms of service violations.
The response broke CI/CD pipelines around the globe for organizations that used any of the affected GitHub Actions. The most notable example was Azure/functions-action, the GitHub Action for deploying Azure Functions.
"[Azure/]functions-action isn't a library you can pin around — it's the action that runs inside other people's pipelines," Open Source Malware noted in its June 5 blog post. "When GitHub disabled it (and functions-container-action alongside it), every workflow on Earth that references Azure/functions-action@v1 stopped resolving."
Related:'Hades' Campaign Against PyPI Puts New Spin on Shai-Hulud
StepSecurity published research the same day, confirming Open Source Malware's findings and connecting the attacks to Miasma, a variant of the Mini Shai-Hulud worm. Miasma was spotted earlier this month in a series of attacks against Red Hat npm packages.
More interestingly, StepSecurity connected the Miasma worm attacks to a previous compromise of a Microsoft PyPI package last month, raising questions about the software giant's response to that incident.
Two Miasma Worm Attacks Against Microsoft
Three poisoned versions of Microsoft's official durabletask Python SDK were published to PyPI on May 19. The compromised package, which is typically downloaded 400,000 times per month, was online for approximately 35 minutes before Microsoft took it down.
In a blog post published that same day, Ashish Kurmi, chief technology officer (CTO) and co-founder of StepSecurity, noted the poisoned versions were "particularly dangerous" because they contained a modular cloud intrusion framework called "rope.pyz" that steals secrets and credentials and can also deploy a destructive wiper in some regions.
... continue reading