Twice in as many weeks, attackers have planted credential-stealing malware inside Microsoft's package repositories. The latest batch: 73 packages, each built to run a self-replicating stealer the instant an AI agent opens them. Ars Technica reported the discovery on June 8.
A credential stealer is malware that extracts saved passwords, API keys, session tokens, and other authentication data from a machine. The self-replicating piece means it doesn't grab credentials once and stop - it copies itself into other locations or packages, creating persistence. What separates this attack from ordinary supply chain poisoning is the trigger: these packages don't wait for a developer to manually install and run them. They activate the moment an AI agent opens the package.
Why the AI Agent Trigger Changes the Game
AI coding agents - tools like Claude Code, Cursor, and similar products that can browse repositories, install dependencies, and execute code autonomously - have opened an attack surface that most security teams haven't fully addressed. Give an agent a task like "set up a Node.js project" and it might install fifteen packages without you reviewing a single one. Agents work at machine speed, don't read READMEs the way developers do, and typically hold broad file system and network permissions.
Traditional supply chain security assumes a human somewhere in the loop might notice something odd. That assumption falls apart when an agent is handling package management. An agent that installs a malicious package can execute the stealer payload before any person has seen the package name.
Designing the trigger around AI agent access rather than manual developer interaction is a deliberate choice. These attackers know who - or what - they're targeting.
A Campaign, Not an Incident
The "second time in weeks" detail matters most here. A single incident is a probe. Two incidents in quick succession, with the second arriving after the first was presumably discovered and removed, points to a repeatable playbook. Removal doesn't stop them; they replant.
For teams running AI agents in any environment that stores credentials - which covers most development setups - the practical response is clear: use allowlists to restrict which packages agents can install autonomously, run agents in sandboxed environments that can't reach credential stores, and apply the same review process to agent-installed packages as to any other third-party dependency.
The Microsoft package ecosystem has become a viable attack vector specifically because of AI agents. Security practices built for human-reviewed installs now have a gap, and that gap is being actively exploited.