Ethical Hacking News
Microsoft temporarily removed some GitHub repositories in response to a recent security incident that led to the compromise of 73 open-source projects. The compromised repositories contained an information stealer designed to inject malware into Linux systems, as part of a larger software supply chain campaign codenamed Miasma.
Microsoft temporarily removed some GitHub repositories due to a security incident that compromised 73 open-source projects.The compromised projects contained an information stealer designed to inject malware into Linux systems, as part of the Miasma software supply chain campaign.The attack was carried out by TeamPCP and involved Trojanized native extensions and a .pth startup hook loader variant.The attackers used compromised legitimate packages to gain trust and reach, making them harder to detect and defend against.The incident highlights the importance of robust security measures, including regular vulnerability scanning and secure coding practices.
In a shocking revelation, Microsoft has announced that it has temporarily removed some GitHub repositories in response to a recent security incident that led to the compromise of 73 of its open-source projects. The compromised projects were found to contain an information stealer that was designed to inject malware into Linux systems. This incident is part of a larger software supply chain campaign codenamed Miasma, which has been breaching widely used open-source packages to plant malware capable of propagating to downstream users and beyond.
The Miasma worm is believed to have been unleashed by a cybercrime group known as TeamPCP, who used the compromised repositories to deliver an information stealer designed for Linux systems. The stealer was capable of harvesting high-value secrets from developer workstations and CI/CD environments, exfiltrating them to a public GitHub repository. This attack highlights the growing threat of supply chain attacks, which have become increasingly sophisticated in recent months.
The Miasma worm is part of a larger cluster of attacks that have been linked to a new payload delivery mechanism. This mechanism involves Trojanized native .abi3.so extensions that execute the stealer when the package is imported. Alternatively, the attack also employs a .pth startup hook loader variant that searches sys.path for the "_index.js" payload instead of bundling it in the same wheel. The use of such sophisticated tactics underscores the evolving nature of software supply chain attacks.
According to Kirill Boychenko, senior threat intelligence analyst at Socket, the latest assortment of Python libraries marks the first time the Mini Shai-Hulud / Miasma / Hades-linked attacks have mixed compromised legitimate packages with threat actor-published typosquats and ecosystem-lure packages. This development highlights the growing sophistication of supply chain attacks, which are becoming increasingly difficult to detect and defend against.
Boychenko attributed the use of compromised legitimate packages as a tactical diversification strategy by the attackers. "Compromised legitimate packages give them trust and reach," he explained. "Those paths depend on stolen credentials or CI/CD access that can be revoked quickly." In contrast, threat actor-published typosquats and ecosystem-bait packages are easier to publish, faster to iterate on, and more useful for testing new malware loader behavior without burning high-value compromised projects.
Furthermore, the Miasma worm is notable for its ability to derail and bypass AI-powered scanners and analyst copilots through an adversarial prompt injection embedded within a JavaScript block comment. This capability was previously detailed by StepSecurity and highlights the ongoing cat-and-mouse game between attackers and defenders in the software supply chain space.
The incident serves as a stark reminder of the importance of robust security measures to protect against supply chain attacks. As the use of open-source software becomes increasingly prevalent, it is essential for organizations to adopt best practices such as regular vulnerability scanning, secure coding practices, and rigorous testing procedures to minimize the risk of exploitation.
In response to the incident, Microsoft has notified a small number of customers who may have pulled down content from the affected repositories. The company will continue to investigate and update its support channels to ensure that any further action is taken directly with affected customers.
The Miasma worm is just one example of the growing threat landscape in the software supply chain space. As attacks become increasingly sophisticated, it is essential for organizations to stay vigilant and proactive in their security efforts to protect against such threats.
Microsoft temporarily removed some GitHub repositories in response to a recent security incident that led to the compromise of 73 open-source projects. The compromised repositories contained an information stealer designed to inject malware into Linux systems, as part of a larger software supply chain campaign codenamed Miasma.
Related Information:
https://www.ethicalhackingnews.com/articles/Miasma-Worm-Hacks-73-Microsoft-GitHub-Repositories-A-Looming-Threat-to-Software-Supply-Chain-Security-ehn.shtml
https://thehackernews.com/2026/06/microsoft-restores-some-github-repos.html
Published: Wed Jun 10 14:27:53 2026 by llama3.2 3B Q4_K_M
