Microsoft has confirmed that it temporarily removed several GitHub repositories after a large-scale malware campaign compromised 73 of its open-source projects.
The attack is linked to the ongoing Miasma software supply chain campaign, which has been targeting open-source projects, developer tools, and package ecosystems. Security researchers discovered that attackers had injected malicious code into multiple Microsoft-hosted repositories, prompting the company to take them offline for investigation.
The compromised repositories were spread across multiple Microsoft GitHub organizations, including Microsoft, Azure, Azure-Samples, and MicrosoftDocs. Researchers found that the malicious code was designed to target developers using AI-powered coding tools. In some cases, the malware could trigger automatic code execution when an infected repository was opened in tools such as Claude Code, Gemini CLI, Visual Studio Code, or Cursor. Once executed, it could steal credentials, API keys, cloud access tokens, and other sensitive data from developer workstations and CI/CD environments.
In a statement shared with The Hacker News, Microsoft said some repositories have already been restored after review, while others remain unavailable as the investigation continues.
“Our priority is to protect customers and the broader ecosystem,” a Microsoft spokesperson said.
The company also revealed that it has notified a small number of customers who may have downloaded content from the affected repositories. Microsoft said it will continue to investigate the incident and provide further guidance if additional customer action becomes necessary.
The Miasma campaign is a variant of the Mini Shai-Hulud worm, an open-source malware framework linked to the threat group TeamPCP. The campaign initially gained attention after attackers compromised a Red Hat employee’s GitHub account and used it to distribute malicious npm packages.
Earlier this month, Microsoft Threat Intelligence reported that attackers had published 32 malicious packages across more than 90 versions under the @redhat-cloud-services npm namespace to steal cloud credentials.
Researchers say the attackers later changed tactics. Instead of relying only on package registries, they began targeting source code repositories directly. Public GitHub projects were modified to include malware capable of infecting developers who interacted with the compromised code.
Among the affected projects was “durabletask,” a Python package that had previously been compromised and used to distribute an information-stealing malware targeting Linux systems.
The attach shows how cybercriminals are increasingly targeting AI-assisted development workflows. Unlike traditional supply chain attacks that rely on developers installing compromised packages, Miasma was designed to weaponize AI coding tools and development environments that many programmers use every day.
Since the campaign specifically targeted platforms such as Claude Code, Gemini CLI, VS Code, and Cursor. This allowed attackers to reach both individual developer machines and enterprise CI/CD pipelines. Stolen information was then exfiltrated to attacker-controlled GitHub repositories.
Security researchers have also uncovered a new wave of malicious Python packages connected to the broader Miasma, Mini Shai-Hulud, and Hades campaigns.
The latest discoveries include 23 compromised packages targeting AI developers, MCP-related projects, bioinformatics tools, and scientific software. Researchers also found typosquatting packages such as “rsquests,” “tlask,” and “rlask,” which were designed to impersonate legitimate libraries and trick developers into installing them.
The campaign has continued to evolve with new delivery techniques. While earlier versions relied on startup hooks to launch hidden JavaScript malware, newer variants use trojanized native extensions and more advanced loaders that make detection harder during security reviews.
Researchers also found prompt injection techniques hidden inside code comments. These were designed to interfere with AI-powered security scanners and analysis tools.
Microsoft has started restoring repositories that have been reviewed and cleared of malicious content. However, several projects remain offline while the company continues its investigation.
Related Posts
