This Week in Security: Microsoft on Microsoft, Register Your Domains, Linux on ARM, and FreeBSD Joins the File Cache Club

Microsoft’s open source repositories on GitHub were automatically disabled after being compromised by the Miasma worm, affecting over 70 repositories, including many related to Azure. Simultaneously, Microsoft addressed a critical GitHub token theft bug, and other vulnerabilities emerged involving TP-Link devices, OpenSSL, and a notable security researcher’s return.

On Tuesday, OpenSourceMalware reported that GitHub’s automated security system flagged and disabled 73 Microsoft-related repositories within minutes after they were compromised by the Miasma worm. The infection centered on the Microsoft Durabletask package, previously compromised in May, which was used to push infected packages to PyPi, potentially stealing credentials from infected environments.

In addition, Microsoft fixed a significant bug in GitHub’s embedded web-based VSCode editor, discovered by Ammar Askar, which could have allowed malicious actors to exfiltrate user authentication tokens by manipulating the sandboxed environment into installing malicious extensions. This fix was issued shortly after the vulnerability was disclosed.

Separately, Julian B identified an unregistered domain in TP-Link firmware that devices checked-in with, revealing traffic to an abandoned server. After reporting the issue, Julian registered the domain, preventing potential misuse. The security implications of this unregistered domain remain unclear, but it underscores risks associated with unclaimed internet resources in device firmware.

OpenSSL announced new vulnerabilities, including a high-severity use-after-free bug affecting PKCS7 handling, which could allow attackers to execute arbitrary code. While most applications are unlikely to be impacted directly, the advisory urges prompt updates to mitigate risks.

Meanwhile, researcher NightmareEclipse, known for releasing advanced Windows exploits, reappeared as MSNightmare, releasing new vulnerabilities such as RoguePlanet, which exploits race conditions in Windows Defender, and a BitLocker bypass called GreatXML. Microsoft’s initial response threatened criminal investigations, but the researcher’s return highlights ongoing tensions around vulnerability disclosure and responsible research.

Implications of Recent Security Flaws and Disclosures

The series of security incidents this week underscores the persistent risks in software supply chains, device firmware, and open-source libraries. The Microsoft GitHub repository compromise illustrates ongoing threats from malware that can rapidly disable critical development infrastructure, while the GitHub token vulnerability highlights the importance of securing developer tools against exploitation.

Furthermore, the TP-Link domain issue reveals vulnerabilities in IoT device firmware that could be exploited if unaddressed, and the OpenSSL bugs pose a potential risk to applications relying on cryptographic functions. The return of NightmareEclipse demonstrates the ongoing challenge of balancing security research, responsible disclosure, and corporate responses, which can influence trust and collaboration in the cybersecurity community.

Recent Trends in Supply Chain and Vulnerability Disclosure

Supply chain attacks have become increasingly sophisticated, with recent incidents involving malware like Miasma targeting major cloud and open-source repositories. Microsoft’s own open-source projects have been repeatedly targeted, reflecting the importance of securing development pipelines.

In parallel, the cybersecurity community continues to grapple with the ethics and policies surrounding vulnerability disclosure. The return of NightmareEclipse after Microsoft’s initial threats signals ongoing tensions between researchers and corporations, with the broader industry pushing for responsible disclosure frameworks and better collaboration.

Device firmware security remains a concern, as seen in the TP-Link case, where unregistered domains could be exploited in malicious scenarios. Meanwhile, vulnerabilities in widely used cryptographic libraries like OpenSSL remind organizations to prioritize timely updates and patch management.

“The infected repositories were disabled within minutes, but the damage underscores the fragility of supply chain security.”

— OpenSourceMalware

Heltec UWB Dongle Sniffer Ultra-Wideband Packet Analyzer for IoT, IEEE 802.15.4, FiRa/CCC Protocol TOF/TDOA Positioning, 6.8Mbps Data Rate, ARM Cortex-M33, USB-A Interface

Professional UWB Sniffer for IoT Development & Debugging: The Heltec UWB Dongle Sniffer is a powerful Ultra-Wideband (UWB)…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About the Security Incidents

It is still unclear how widespread the impact of the compromised repositories was beyond the immediate GitHub disables, and whether any sensitive data was exfiltrated during the attack. The full extent of the TP-Link domain’s risk remains unknown, as does the potential for malicious actors to exploit unclaimed domains in device firmware. Regarding the OpenSSL vulnerabilities, some affected applications may have already been patched, but confirmation is pending from affected vendors. The long-term implications of NightmareEclipse’s return and the effectiveness of Microsoft’s response are also still developing, with ongoing industry debate about responsible disclosure practices.

Next Steps for Organizations and Researchers

Organizations should review their dependency management and supply chain security measures, especially for open-source packages like Microsoft’s Durabletask. Developers are advised to update affected libraries and tools promptly. Companies relying on TP-Link devices should assess their firmware configurations and consider domain monitoring or registration to prevent exploitation.

Security teams should monitor for updates related to OpenSSL vulnerabilities and apply patches as soon as possible. Researchers and vendors should continue to engage in transparent, responsible vulnerability disclosures, balancing security improvements with collaboration. Microsoft and other companies are likely to review their policies regarding external research to prevent further conflicts and foster a more cooperative security environment.

CT Cryptologic Technician Rating Collectible Novelty Patch

NOVELTY & COMMEMORATIVE USE ONLY – This is a collectible, novelty, or souvenir patch intended for costume, hobby,…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How serious was the Microsoft GitHub repository compromise?

The compromise affected over 70 repositories, including critical Azure packages, and was quickly contained by GitHub’s automated system. The main concern is the potential for stolen credentials and further malware spread, but no confirmed data exfiltration has been reported.

What are the risks of unregistered domains in IoT device firmware?

Unregistered domains can be hijacked or exploited by malicious actors, leading to data interception, command injection, or device control. In this case, the TP-Link devices checked in with an abandoned server, but the full threat potential remains unclear.

Should I update my OpenSSL libraries now?

Yes. The vulnerabilities are high-severity, especially the use-after-free bug affecting PKCS7 handling. Vendors and developers should update to the latest versions as soon as possible to mitigate risks.

Why is the return of NightmareEclipse significant?

The researcher’s return with new exploits highlights ongoing challenges in vulnerability disclosure, especially when companies threaten legal action. It underscores the need for responsible disclosure frameworks and better industry cooperation.

Source: Hackaday