Microsoft restores some GitHub repos after Miasma attacks

Microsoft confirmed on Monday it restored a portion of GitHub repositories after a supply-chain campaign known as Miasma injected an information stealer into 73 open-source projects. Other repositories remain offline while teams inspect code and complete reviews. The company temporarily removed a subset of repositories to examine potential malicious content and notified a small number of customers who may have pulled affected code. Microsoft issued a statement: “Our priority is to protect customers and the broader ecosystem. We temporarily removed some repositories as we investigated potential malicious content. Some of these repos have been restored after review, while others may remain offline while work continues. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels.”

The repository removals followed earlier action to cut access to dozens of open-source projects after reports of compromise. The campaign first compromised the durabletask Python package last month and was linked to an actor identified as TeamPCP. Subsequent waves affected additional PyPI packages and GitHub projects, including libraries used in bioinformatics and AI tooling and several typosquat packages mimicking names such as requests and Flask. Analysts reported about 23 additional PyPI packages tied to the cluster, including packages themed around AI and model context protocol tooling.

Researchers mapped multiple delivery methods used in the cluster. Early malicious wheels used .pth startup hooks to bootstrap a Bun runtime and run an obfuscated JavaScript stealer. More recent variants include Trojanized native .abi3.so extensions that execute when a package is imported and a loader variant that searches sys.path for a separate _index.js payload instead of bundling the payload inside the same wheel. Separating the loader from the payload can make static analysis less likely to flag the package.

When executed, the malware targets developer workstations and continuous integration environments, harvests credentials and other secrets, then exfiltrates that data to a public GitHub repository. One infected bioinformatics package contained an adversarial prompt injection inside a JavaScript block comment intended to derail or bypass AI-powered code scanners and analyst copilots.

Socket researcher Kirill Boychenko described the Hades branch of the activity as “best understood as a fast-moving supply chain campaign, not a single package incident.” Microsoft confirmed it will continue investigating and update affected repositories as reviews finish. Organizations and developers who used the impacted packages are advised to monitor vendor advisories, scan dependencies and expect direct notifications if further remediation is required.