阿里发布高考志愿填报AI Agent：经40万模拟考生压测，面向1290万高考生免费开放

Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding Agents. In all, [multiple](https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-Agents) researchers [said](https://opensourcemalware.com/blog/miasma-reaches-azure), 73 packages were flagged as malicious when automated systems on GitHub blocked them on the platform. Rather than noting they are malicious—and that developers who used AI Agents to work with them should assume their systems are compromised—the Microsoft-owned GitHub said it disabled the packages “due to a violation of GitHub’s terms of service.” The text went on to encourage the package owner to contact GitHub. Devs: Assume compromise and proceed accordingly It wasn’t until Monday that Microsoft even raised the possibility the packages were infected. In an email, the company stated: “We have temporarily removed some repositories as we investigate potential malicious content.” The incident is the second supply-chain attack in as many months to breach an official Microsoft repository account. In mid May, the firm StepSecurity [documented](https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack) the compromise of Microsoft’s durabletask Python SDK on PyPI. The [package](https://learn.microsoft.com/en-us/azure/durable-task/common/what-is-durable-task) is a framework for building fault-tolerant workflows and orchestrations to automate distributed transactions and other workflows. It receives 400,000 downloads per month. The compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. The attack, which has been linked to a threat actor tracked as TeamPCP, poisoned the durabletask package after compromising Microsoft credentials for publishing the package. The technique allows attackers to bypass the repository’s build pipeline entirely. The malware used in the attack is tracked as Miasma. It’s essentially a clone of TeamPCP’s Mini Shai-Hulud toolkit, which the threat actor open-sourced recently. Security firm Cloudsmith [said](https://cloudsmith.com/blog/miasma-worms-path-of-destruction) the malware harvests OIDC (OpenID-Connect) token credentials that are used in SLSA (Supply-chain Levels for Software Artifacts) [provenance attestation](https://docs.github.com/en/actions/concepts/security/artifact-attestations), a method for providing cryptographically signed guarantees of a software’s integrity. As was the case in the May compromise of Microsoft’s durabletask, the one last week made use of the functionality to steal a legitimate Microsoft OIDC token. It was also used in a separate supply-chain attack poisoning [dozens of Red Hat packages](https://arstechnica.com/security/2026/06/dozens-of-red-hat-packages-backdoored-through-its-offical-npm-channel/).

Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding Agents. In all, [multiple](https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-Agents) researchers [said](https://opensourcemalware.com/blog/miasma-reaches-azure), 73 packages were flagged as malicious when automated systems on GitHub blocked them on the platform. Rather than noting they are malicious—and that developers who used AI Agents to work with them should assume their systems are compromised—the Microsoft-owned GitHub said it disabled the packages “due to a violation of GitHub’s terms of service.” The text went on to encourage the package owner to contact GitHub. Devs: Assume compromise and proceed accordingly It wasn’t until Monday that Microsoft even raised the possibility the packages were infected. In an email, the company stated: “We have temporarily removed some repositories as we investigate potential malicious content.” The incident is the second supply-chain attack in as many months to breach an official Microsoft repository account. In mid May, the firm StepSecurity [documented](https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack) the compromise of Microsoft’s durabletask Python SDK on PyPI. The [package](https://learn.microsoft.com/en-us/azure/durable-task/common/what-is-durable-task) is a framework for building fault-tolerant workflows and orchestrations to automate distributed transactions and other workflows. It receives 400,000 downloads per month. The compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. The attack, which has been linked to a threat actor tracked as TeamPCP, poisoned the durabletask package after compromising Microsoft credentials for publishing the package. The technique allows attackers to bypass the repository’s build pipeline entirely. The malware used in the attack is tracked as Miasma. It’s essentially a clone of TeamPCP’s Mini Shai-Hulud toolkit, which the threat actor open-sourced recently. Security firm Cloudsmith [said](https://cloudsmith.com/blog/miasma-worms-path-of-destruction) the malware harvests OIDC (OpenID-Connect) token credentials that are used in SLSA (Supply-chain Levels for Software Artifacts) [provenance attestation](https://docs.github.com/en/actions/concepts/security/artifact-attestations), a method for providing cryptographically signed guarantees of a software’s integrity. As was the case in the May compromise of Microsoft’s durabletask, the one last week made use of the functionality to steal a legitimate Microsoft OIDC token. It was also used in a separate supply-chain attack poisoning [dozens of Red Hat packages](https://arstechnica.com/security/2026/06/dozens-of-red-hat-packages-backdoored-through-its-offical-npm-channel/).

Google DeepMind is worried about what happens when millions of Agents start to interact The firm is calling for more scientists to study the risks of multi-Agent systems. Google DeepMind is [funding research](https://deepmind.google/blog/investing-in-multi-Agent-ai-safety-research/) into the potential dangers of situations where millions of different [AI Agents](https://www.technologyreview.com/2026/04/21/1135654/Agent-orchestration-ai-artificial-intelligence/) interact with each other online. According to Rohin Shah, who directs the company’s AGI safety and alignment research, the mass-market arrival of Agents that can carry out tasks without human oversight and follow instructions given to them by other Agents creates a [whole new class of risk](https://www.technologyreview.com/2025/06/12/1118189/ai-Agents-manus-control-autonomy-operator-openai/). In an effort to address this, Google DeepMind—which made Agent-based tools a [centerpiece of Google I/O last month](https://www.technologyreview.com/2026/05/22/1137813/google-i-o-showed-how-the-path-for-ai-science-is-shifting/)—has teamed up with several other organizations to announce a $10 million funding pot for researchers to study the behavior of multi-Agent systems and come up with ways to prevent unsafe scenarios. Joining Google DeepMind are Schmidt Sciences, a philanthropic foundation set up by Eric and Wendy Schmidt; ARIA, the [UK government’s moonshot agency](https://www.technologyreview.com/2026/01/20/1131462/the-uk-government-is-backing-ai-scientists-that-can-run-their-own-experiments/); the Cooperative AI foundation, a UK-based nonprofit research outfit; and Google’s charitable arm, Google.org. I asked Shah and James Fox, who leads the Science of Trustworthy AI program at Schmidt Sciences, what they hope to achieve with that $10 million. It’s no small sum, but it’s dwarfed by the budgets commanded by Google DeepMind’s own research teams. The aim is to kick-start research outside tech companies, says Shah: “The strength of academia is that it can look really quite far into the future and do the kind of work that isn’t top of mind at industry labs.” “The main issue is that there just isn’t really a field of research for multi-Agent safety yet,” he adds. “And we would like there to be.” The concern is that as more and more AI Agents get deployed and begin working together, we could hit a tipping point where imagined scenarios become real. “We see this with humanity, too,” says Shah. “Our institutions can accomplish things that no individual human can.” Shah thinks we have a few more months to go before Agents are deployed throughout the economy in numbers that make potential risks a real concern. He wants to get ahead of that moment. Risky business What risks are we talking about, exactly? The possibilities that Shah and Fox have in mind mostly boil down to supercharged versions of bad things that happen on the internet already: scams, prompt injections (where an AI Agent is fed malicious instructions, turning it into a self-guiding piece of malware), other forms of cyberattack. We look at what humans do now and ask what the Agent version of that would be, says Shah. “We’ve got this digital commons that is integral to how society works, and you really want to ensure that this doesn’t descend into just absolute anarchy,” says Fox. (I asked Shah if they were considering any worst-case scenarios more on the doomer end of the spectrum, such as widespread economic collapse. “Certainly not if we’re talking by the end of the year,” he said. That’s only six months away! He laughed. “Okay, a while after that.”) Shah and Fox both think that the only way to understand what might happen when large numbers of multi-Agent systems interact with each other is to run realistic simulations. They want researchers to drop AI Agents into sandboxes and study what they do. You can’t predict what’s going to happen by studying single Agents, or even small groups of Agents, in isolation. You can’t assume that AI Agents underpinned by LLMs will always act rationally, says Fox. And the complexity comes from having huge numbers of interactions at once. Some researchers, including a [team at Google DeepMind](https://arxiv.org/pdf/2512.16856), have argued that [artificial general intelligence](https://www.technologyreview.com/2024/07/10/1094475/what-is-artificial-intelligence-ai-definitive-guide/) ([if possible at all](https://www.technologyreview.com/2025/10/30/1127057/agi-conspiracy-theory-artifcial-general-intelligence/)) could come not from a single super-smart model but from a kind of Agent hive mind, where the capabilities of the whole add up to more than the sum of its parts.   Lack of trust Google DeepMind is not the only top AI firm warning about the risks of the technology it is building. A couple of weeks ago, Anthropic published [guidelines for deploying AI Agents](https://claude.com/blog/zero-trust-for-ai-Agents) based on an approach to cybersecurity known as zero trust, which starts with the assumption that a computer system is vulnerable, an Agent is an attacker, and a breach will happen. Refael Angel, cofounder and CTO of Akeyless, a cybersecurity firm based in Tel Aviv, agrees that understanding the new risks introduced by Agent-based systems is crucial. Every approach to security in the past has assumed that the machine in question was software written by a human, doing fixed things on fixed paths, says Angel: “An Agent breaks all of those assumptions. It reasons, it improvises, and it can be hijacked by a single sentence buried in a document it was asked to read.” Angel welcomes this new funding. “No single lab should author the safety standards everyone else has to trust,” he says. But he cautions that safety researchers can overlook boring problems that are already here in favor of more exotic hypothetical ones. And yet, Fox notes, risks that were hypothetical a few years ago are now very real: “The future’s come more quickly than perhaps expected.” Deep Dive Artificial intelligence Want to understand the current state of AI? Check out these charts. According to Stanford’s 2026 AI Index, AI is sprinting, and we’re struggling to keep up. 10 Things That Matter in AI Right Now MIT Technology Review's authoritative overview of the 10 technologies, emerging trends, bold ideas, and powerful movements in AI in 2026. A new US phone network for Christians aims to block porn and gender-related content Launching next week on T-Mobile's network, the cell plan takes a nuclear approach to online safety. Musk v. Altman week 1: Elon Musk says he was duped, warns AI could kill us all, and admits that xAI distills OpenAI’s models Musk kept his cool, and OpenAI’s lawyer bulldozed him with piercing questions about his motivations for suing the company. Stay connected Get the latest updates from MIT Technology Review Discover special offers, top stories, upcoming events, and more.