What changed
Microsoft confirmed it temporarily removed some GitHub repositories after a recent security incident in which 73 open-source projects were compromised to inject an information stealer.
“Our priority is to protect customers and the broader ecosystem,” a Microsoft spokesperson told The Hacker News via email. “We temporarily removed some repositories as we investigated potential malicious content. Some of these repos have been restored after review, while others may remain offline while work continues.”
“As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels.”
This follows Microsoft cutting off access to dozens of open-source projects on GitHub after reports that they were compromised in an ongoing software supply chain campaign codenamed Miasma.
The campaign
One infected project was durabletask, a Python package first compromised last month by a cybercrime group known as TeamPCP. The goal: deliver an information stealer targeting Linux systems.
Analysis shows the Miasma payload can trigger automatic code execution when a developer opens a tainted repository in an AI-powered coding tool or IDE. It is part of a sustained effort to breach widely used open-source packages and spread malware downstream.
A newer PyPI wave tied to the broader Mini Shai-Hulud, Miasma, and Hades activity infected an additional set of 23 packages, including bioinformatics-related libraries used in graph learning, patient phenotyping, phenopacket tooling, and scientific workflows.
Packages observed in this wave
Researchers also noted AI- and Model Context Protocol (MCP)-themed packages and typosquats such as rsquests, tlask, and rlask that impersonate requests and flask, plus langchain-core-mcp. The complete list of legitimate and bait packages reported includes:
- dreamgen 1.8.1
- embiggen 0.11.97
- ensmallen 0.8.101
- gpsea 0.9.14
- instructor-mcp 1.15.2, 1.15.3
- langchain-core-mcp 1.4.2, 1.4.3
- mem8 6.0.1
- mflux-streamlit 0.0.3, 0.0.4
- openai-mcp 2.41.1, 2.41.2
- orchestr8-platform 3.3.2
- phenopacket-store-toolkit 0.1.7
- ppkt2synergy 0.1.1
- pyphetools 0.9.120
- ray-mcp-server 0.2.1
- rlask 3.1.7
- rsquests 2.34.3
- tiktoken-mcp 0.13.1, 0.13.2
- tlask 3.1.4
How the payload is delivered
According to Socket, the cluster uses a new delivery mechanism—evidence that the actors are adapting quickly in a fast-moving supply chain campaign.
Earlier packages relied on executable .pth startup hooks to bootstrap Bun and run an obfuscated JavaScript stealer. The latest set uses different approaches:
- Trojanized native
.abi3.soextensions that execute the stealer when the package is imported - A
.pthstartup hook loader variant that searchessys.pathfor the"_index.js"payload instead of bundling it in the same wheel
“That last variant separates the loader from the JavaScript payload, which could make the package look less obviously malicious during static analysis,” Socket told The Hacker News.
What it does
Regardless of the path in, the outcome is the same: once executed, the malware targets developer workstations and CI/CD environments, harvests high-value secrets, and exfiltrates them to a public GitHub repository.
Evasion tactics
A key capability in the bioinformatics package set is an adversarial prompt injection hidden in a JavaScript block comment. This can derail AI-powered scanners and analyst copilots, a technique previously detailed by StepSecurity.
“The Hades branch of the Shai-Hulud and Miasma activity is best understood as a fast-moving supply chain campaign, not a single package incident,” Socket researcher Kirill Boychenko said. “The langchain-core-mcp variant goes further by installing a .pth loader that searches sys.path for _index.js, meaning the loader and payload do not need to live in the same wheel.”
Reference: View article