PyPI and npm Purge 73 Fake Azure Packages Targeting AI Agents

On June 8, 2026, security researchers identified a software supply chain attack targeting developers and AI agents via 73 malicious packages published to the Python Package Index and npm registries. The packages masqueraded as official Microsoft Azure libraries using typosquatted names like microsoft-azure-identity-core and azure-identity-auth-ext. Instead of providing authentication extensions, the libraries deployed a self-replicating credential stealer tracked as AutoSteal-26.

Payload Execution Mechanism

The malware is designed to execute immediately upon installation. It uses the postinstall script in npm and the setup.py file in PyPI to trigger the payload before a developer or agent ever imports the library into a project.

Once executed, AutoSteal-26 scans the host environment for sensitive data. It specifically targets the following locations:

Target Category	Specific Locations
Cloud Credentials	Local .azure and .aws folders
Environment Variables	Keys matching SECRET_KEY, API_TOKEN, or ACCESS_KEY
Browser Data	Stored cookies and saved passwords

The payload then uses any stolen GitHub or PyPI tokens to upload clones of itself to other public repositories where the compromised user has write access. This self-replication mechanism broadens the infection across the open-source ecosystem without requiring further intervention from the attacker.

Agentic Workflows as Attack Vectors

This attack exploits the autonomous nature of modern coding assistants, including platforms like GitHub Copilot Workspace, Devin, and OpenDevin. When these agents are tasked with resolving dependencies or fixing bugs, they routinely pull and install packages without human oversight. Threat actors are directly targeting these automated routines.

Because these systems are optimized for speed and autonomy, they reliably fall for typosquatting attacks that a human reviewer might catch during a manual audit. The Open Source Security Foundation noted that this marks a concerted effort to poison the dependency trees used by AI agents and large language models. This incident closely follows a similar supply chain attack in late May, establishing a clear pattern of adversaries exploiting automated development environments.

Mitigation and Response Efforts

The PyPI and npm security teams removed all 73 identified packages by the evening of June 8. Preliminary reports from security firm Snyk indicate the malicious libraries accumulated approximately 12,000 downloads before removal. These downloads were primarily driven by automated CI/CD pipelines and active coding agents rather than direct human interaction.

Microsoft issued an advisory on June 9 confirming that their official Azure SDK repositories remain uncompromised. The company advised developers to strictly utilize “trusted publisher” verification within their package managers to prevent automated tools from pulling unverified code into production codebases.

If you deploy autonomous coding assistants in your infrastructure, strictly scope the environment variables and file system permissions available to the agent sandbox. Restricting package managers to approved internal registries prevents tools from blindly accepting compromised public dependencies during routine task execution.