Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues
Microsoft on Monday confirmed that it has temporarily removed some of its GitHub repositories due to a recent security incident that resulted in 73 of its projects being compromised for a hacker to install the code.
“Our priority is protecting customers and the broader ecosystem,” a Microsoft spokesperson told The Hacker News via email. “We have temporarily removed some collections as we investigate potentially malicious content. Some of these sites have been restored after review, while others may remain offline while work continues.”
“As part of our investigation, we have notified a small number of customers who may have withdrawn content from the affected repositories. We will continue to investigate, and if anything else is identified that requires customer action, we will reach out directly through our established support channels.”
The development comes days after the Windows maker cut off access to many of its open source projects hosted on GitHub following reports that they were compromised as part of an ongoing software hacking campaign called Miasma.
Among the infected projects is “durabletask,” a Python package that was first compromised last month by a hacking group known as TeamPCP to deliver a hack designed for Linux systems.
Further analysis of Miasma payloads embedded in projects has revealed the potential to trigger automated code execution when an unsuspecting developer opens a repository with an artificial intelligence (AI)-enabled coding tool or integrated development environment (IDE).
The findings are the latest in an ongoing campaign by a software supply chain that has breached widely used open source packages to plant malware that can spread to downstream users and beyond.
This includes a new wave of PyPI tied to the broader Mini Shai-Hulud, Miasma, and Hades waves, which include an additional set of 23 packages, including bioinformatics-related libraries used in graph reading, patient phenotyping, phenopacket tooling, and scientific workflow.
Other packages include a set of AI-themed packages and Model Context Protocol (MCP) and typing-style packages such as rsquests, tlask, and rlask that make requests with flask, and langchain-core-mcp. The complete list of legal packages and bait is below –
- dreamgen 1.8.1
- embiggen 0.11.97
- ensmallen 0.8.101
- gpsea 0.9.14
- instructor-mcp 1.15.2, 1.15.3
- langchain-core-mcp 1.4.2, 1.4.3
- mem8 6.0.1
- mflux-streamlit 0.0.3, 0.0.4
- openai-mcp 2.41.1, 2.41.2
- orchestrar8-platform 3.3.2
- phenopacket-store-toolkit 0.1.7
- ppkt2synergy 0.1.1
- pyphetools 0.9.120
- ray-mcp-server 0.2.1
- section 3.1.7
- rsquests 2.34.3
- tiktoken-mcp 0.13.1, 0.13.2
- section 3.1.4
The new batch uses a new payload delivery method, according to Socket, indicating that threat actors are adapting and actively trying different methods as part of what has been described as a “quick-moving supply chain campaign.”
While the earlier packages used executable .pth startup hooks in the bootstrap Bun and used an obfuscated JavaScript hacker, the latest set includes different methods –
- Trojanized native extensions .abi3.so that use the hacker when the package is imported
- .pth variant of the launch hook loader that searches the sys.path for the “_index.js” payload instead of including the payload in the same wheel
“That last variant separates the loader from the JavaScript payload, which can make the package look malicious during static analysis,” Socket told Hacker News.
Regardless of the method used, the result is the same. Once released, the malware targets developer workstations and CI/CD environments, harvests high-value secrets and releases them into a public GitHub repository.
The key strength of the bioinformatics package is its ability to confuse and bypass AI-powered scanners and analyst copies with a quick injection of arguments embedded within JavaScript block comments, a feature previously described by StepSecurity.
“The Hades branch of the Shai-Hulud and Miasma operation is best understood as a rapid supply campaign, not a single package incident,” said Socket researcher Kirill Boychenko. “The langchain-core-mcp variant goes a step further by adding a .pth loader that searches the sys.path for _index.js, which means the loader and payload don’t have to live on the same wheel.”
