Full Report
Microsoft on Monday confirmed that it temporarily removed some GitHub repositories in response to a recent security incident that led to 73 of its open-source projects being compromised to inject an information stealer into the code. "Our priority is to protect customers and the broader ecosystem," a Microsoft spokesperson told The Hacker News via email. "We temporarily removed some
Analysis Summary
# Incident Report: Miasma Software Supply Chain Compromise
## Executive Summary
Microsoft confirmed a significant software supply chain attack, codenamed "Miasma," which resulted in the compromise of 73 open-source repositories on GitHub. Attributed to the threat group "TeamPCP," the campaign injected information-stealing malware designed to harvest developer secrets and bypass AI-powered security scanners via adversarial prompt injection. Microsoft has temporarily removed several projects and is notifying affected customers as part of an ongoing recovery effort.
## Incident Details
- **Discovery Date:** June 2026 (confirmed publicly June 9, 2026)
- **Incident Date:** May 2024 – June 2026 (ongoing campaign)
- **Affected Organization:** Microsoft (GitHub Open Source Projects)
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026 (first detected compromise of "durabletask" Python package).
- **Vector:** Software Supply Chain Attack / Repository Hijacking.
- **Details:** Threat actors infiltrated legitimate open-source projects and published malicious updates or typosquatted packages.
### Lateral Movement
- **Details:** The malware targets the workstations of developers who download the compromised repositories. Once a developer environment is infected, the malware attempts to pivot into CI/CD pipelines to further propagate or harvest credentials.
### Data Exfiltration/Impact
- **Details:** High-value secrets (API keys, credentials, tokens) were harvested from developer workstations and CI/CD environments and exfiltrated to a public GitHub repository controlled by the attackers.
### Detection & Response
- **How it was discovered:** Reports of compromise (likely via security researchers at Socket and StepSecurity) and internal investigation.
- **Response actions taken:** Microsoft blocked access to dozens of repositories, removed malicious code, and began restoring clean versions after review.
## Attack Methodology
- **Initial Access:** Hijacking existing GitHub repositories and publishing malicious versions of PyPI packages (Supply Chain Poisoning).
- **Persistence:** Implementation of `.pth` startup hooks to bootstrap malware upon environment initialization.
- **Defense Evasion:** Use of Trojanized native `.abi3.so` extensions; adversarial prompt injection within JavaScript comments to "derail" AI security scanners and Copilots.
- **Credential Access:** Harvesting secrets from developer environment variables and configuration files.
- **Lateral Movement:** Propagation from local developer machines to broader CI/CD infrastructure.
- **Exfiltration:** Data sent to attacker-controlled public GitHub repositories to blend in with legitimate traffic.
- **Impact:** Poisoning of 73+ Microsoft projects and 23+ bioinformatics/AI-related libraries.
## Impact Assessment
- **Financial:** Not disclosed; costs associated with incident response, remediation, and potential downstream liability.
- **Data Breach:** Compromise of developer credentials, SSH keys, and cloud tokens.
- **Operational:** Temporary shutdown of 73+ open-source projects; disruption for developers relying on poisoned packages.
- **Reputational:** High; marks a sophisticated bypass of AI-assisted security tools on a major platform.
## Indicators of Compromise
- **File indicators:**
- `_index.js` (JavaScript payload)
- Malicious `.pth` files
- Trojanized `.abi3.so` extensions
- **Behavioral indicators:**
- Unexpected code execution when opening repositories in IDEs or AI coding tools.
- Secret harvesting/exfiltration patterns in CI/CD environment logs.
## Response Actions
- **Containment:** Removal of dozens of compromised open-source repositories from GitHub.
- **Eradication:** Review and cleaning of 73+ projects; notification of a "small number" of customers who downloaded the content.
- **Recovery:** Partial restoration of verified clean repositories; ongoing investigation into the "Hades" and "Mini Shai-Hulud" clusters.
## Lessons Learned
- **AI Tool Vulnerability:** AI-powered coding assistants and scanners can be bypassed using "adversarial prompt injection" embedded in code comments.
- **Supply Chain Fragility:** Open-source ecosystems remain highly susceptible to "startup hook" persistence mechanisms in Python packages.
- **Developer Targeting:** Individual developer workstations are the primary entry point for deeper infrastructure compromises.
## Recommendations
- **Audit Dependencies:** Organizations should pin package versions and use integrity hashing (SHA-256) to prevent automatic updates to poisoned versions.
- **Secure IDE Environments:** Disable automatic code execution/pre-loading in IDEs when opening unverified third-party repositories.
- **Secret Management:** Move away from local environment secrets toward short-lived, identity-based credentials (e.g., OIDC) for CI/CD pipelines.
- **Defensive Multi-layering:** Supplement AI-driven security scanners with traditional static and dynamic analysis (SAST/DAST) that is not susceptible to prompt injection.