"Our priority is to protect customers and the broader ecosystem," a Microsoft spokesperson told The Hacker News, explaining why the company temporarily removed some GitHub repositories while it investigated a widening software supply chain intrusion.
Microsoft's repository removals and selective restorations
Microsoft confirmed on Monday that it cut off access to dozens of open-source projects hosted on GitHub after reports that 73 of its projects had been compromised to deliver an information stealer. The company said it temporarily removed some repositories "as we investigated potential malicious content." According to Microsoft, "Some of these repos have been restored after review, while others may remain offline while work continues."
Microsoft also told The Hacker News that it has "notified a small number of customers who may have pulled down content from the affected repositories" and that it will contact customers directly through established support channels if further customer action is required.
The Miasma campaign and TeamPCP
Researchers link the incident to an ongoing supply chain campaign codenamed Miasma. Among the first public examples was the Python package durabletask, which was reportedly compromised last month by a cybercrime group known as TeamPCP to deliver an information stealer aimed at Linux systems.
Security firms describe this as part of a broader, sustained campaign that has breached widely used open-source packages to plant malware capable of propagating to downstream users. Analysts characterize the activity as fast-moving, with multiple waves and branches — including Mini Shai-Hulud, Miasma, and a Hades subcluster tied to the same activity set.
Technical delivery mechanisms: .pth loaders, native .abi3.so, and separated payloads
Researchers from Socket and others tracing the campaign say the threat actors are experimenting with multiple delivery methods. Earlier waves used executable .pth startup hooks that bootstrapped Bun and ran an obfuscated JavaScript stealer bundled with the package. The newer cluster incorporates different approaches:
- Trojanized native .abi3.so extensions that execute the stealer when the package is imported.
- A .pth startup-hook loader variant that searches sys.path for an "_index.js" payload instead of bundling the payload in the same wheel.
Socket warned that "That last variant separates the loader from the JavaScript payload, which could make the package look less obviously malicious during static analysis." The practical consequence, analysts say, is that static inspection may miss a loader that only fetches or executes a remote or separately stored payload.
Regardless of the loader method, the end result reported by researchers is similar: once executed the malware targets developer workstations and CI/CD environments, harvesting high-value secrets and exfiltrating them to a public GitHub repository.
Packages targeted, including bioinformatics libraries and typosquats
The campaign has also been tied to a newer PyPI wave infecting 23 additional packages, several of which are bioinformatics-related libraries used in graph learning, patient phenotyping, phenopacket tooling, and scientific workflows. Analysts flagged a mix of legitimate-sounding packages, model- and AI-themed packages, and typosquat-style names that imitate popular packages such as requests and flask.
The complete list of legitimate and bait packages called out in reporting includes:
- dreamgen 1.8.1
- embiggen 0.11.97
- ensmallen 0.8.101
- gpsea 0.9.14
- instructor-mcp 1.15.2, 1.15.3
- langchain-core-mcp 1.4.2, 1.4.3
- mem8 6.0.1
- mflux-streamlit 0.0.3, 0.0.4
- openai-mcp 2.41.1, 2.41.2
- orchestr8-platform 3.3.2
- phenopacket-store-toolkit 0.1.7
- ppkt2synergy 0.1.1
- pyphetools 0.9.120
- ray-mcp-server 0.2.1
- rlask 3.1.7
- rsquests 2.34.3
- tiktoken-mcp 0.13.1, 0.13.2
- tlask 3.1.4
Security analysts additionally reported that a bioinformatics package contains an adversarial prompt injection hidden inside a JavaScript block comment — a technique StepSecurity previously detailed — intended to derail and bypass AI-powered scanners and analyst copilots.
What this means for developers, bioinformatics teams, and CI/CD operators
Developers and maintainer teams will need to treat repositories and PyPI packages with renewed suspicion when build-time or import-time hooks (.pth files) and native extension code (.abi3.so) are present, because researchers say both mechanisms have been used to trigger execution. Bioinformatics researchers and users of phenopacket and patient-phenotyping tooling should note that packages in those ecosystems were explicitly named among the infected set.
CI/CD operators and organizations relying on developer workstations should be aware that the reported aim of these payloads is to harvest high-value secrets and exfiltrate them to a public GitHub repository, meaning build systems and secret stores are specific targets in this campaign.
Socket researcher Kirill Boychenko summarized the activity as a broad, adaptable campaign: "The Hades branch of the Shai-Hulud and Miasma activity is best understood as a fast-moving supply chain campaign, not a single package incident." That assessment, and Microsoft's ongoing selective restorations and notifications, leave a narrow question for affected teams: which of the restored repos are now safe to pull, and which remain under active forensic review?
