Microsoft carries two distinct risk threads this week. The Miasma/Hades supply chain worm has trojanized the Azure/durabletask SDK (versions 1.4.1-1.4.3) and 19 PyPI packages, harvesting cloud credentials from developer environments when affected repositories are opened in AI coding agents. Separately, CVE-2026-44631 is a critical heap underflow (CVSS 9.4) in the Apache HTTP Server package built for Microsoft Azure Linux 3.0 (azl3 httpd 2.4.67-1), disclosed in the June 2026 Patch Tuesday cycle. The supply chain campaign is the higher-priority item due to confirmed credential theft and the absence of a patched durabletask version as of June 2026.