Microsoft has taken steps to address a recent security breach that impacted several GitHub repositories. On Monday, the tech giant confirmed that it temporarily removed some repositories following the discovery of a security incident where 73 open-source projects were compromised. The breach involved injecting an information-stealing malware into the project code.
Microsoft’s Response to the Breach
A Microsoft representative emphasized the company’s commitment to protecting its users and the broader ecosystem. “We have temporarily taken down certain repositories to investigate potentially harmful content,” the spokesperson explained. While some repositories have been restored after thorough review, others will remain offline as the investigation continues.
Microsoft has also alerted a select group of customers who might have downloaded content from the affected repositories. The company assured that it would continue to monitor the situation and directly contact customers if further actions are necessary.
Details of the Miasma Campaign
This incident is part of a larger software supply chain campaign known as Miasma. Recently, Microsoft restricted access to several open-source projects on GitHub after reports of their compromise. Among the affected projects was “durabletask,” a Python package targeted by the cybercrime group TeamPCP to deploy an information stealer aimed at Linux systems.
Further investigation into the Miasma payload revealed the ability to execute code automatically when developers open the repository using AI-powered coding tools or integrated development environments (IDEs). This is part of a continuous strategy to plant malware in widely used open-source packages, potentially affecting downstream users.
Adapting Threats and Future Outlook
Recent findings indicate that the threat actors are experimenting with new payload delivery methods. Earlier packages used startup hooks to run a JavaScript stealer, but newer variants employ different tactics. These include Trojanized native extensions and modified startup hook loaders, which separate the malware loader from the payload to evade static analysis detection.
Despite the methods employed, the malware’s objective remains the same: targeting developer workstations and CI/CD environments to capture sensitive data and transmit it to a public GitHub repository. A notable aspect of the bioinformatics package is its ability to bypass AI-powered analysis tools through adversarial prompt injections.
Kirill Boychenko, a researcher at Socket, highlighted that the Hades branch of the Miasma campaign exemplifies a rapidly evolving supply chain threat. As these attacks continue to develop, monitoring and safeguarding against such vulnerabilities remain critical for developers and organizations worldwide.
