Miasma supply-chain attack on Microsoft OSS and PyPI packages

Microsoft has confirmed the temporary removal of a number of repositories on GitHub during an investigation into an incident involving the compromise of the company’s open-source projects. According to reports, an information stealer was injected into the code, targeting developer workstations and CI/CD environments. The incident is part of a large-scale software supply-chain attack campaign codenamed Miasma. Developers using the PyPI packages listed below, as well as Microsoft open-source projects on GitHub, must immediately review their dependencies and audit secrets in affected environments.

Microsoft’s response and scope of the incident

According to a Microsoft representative, some repositories were restored after inspection, while others may remain unavailable until the investigation is complete. The company has notified a limited number of customers who might have downloaded content from compromised repositories and stated that it is prepared to contact affected parties through official support channels should additional actions be required.

Among the affected projects, available data indicates that the durabletask package — a Python library — was compromised to deliver an information stealer targeting Linux systems. Microsoft described its actions as measures to protect customers and the broader ecosystem as a whole.

Evolution of payload delivery techniques

According to Socket’s research, the campaign is actively evolving and includes several waves: Mini Shai-Hulud, Miasma and Hades. The latest wave additionally affected 23 PyPI packages, with attackers experimenting with various mechanisms for delivering malicious code.

Early versions of the malicious packages used executable .pth autoload hooks to start the Bun runtime and execute an obfuscated JavaScript-based stealer. New variants employ fundamentally different approaches:

• Trojanized native .abi3.so extensions — the stealer runs when the package is imported into a Python project
• Modified .pth loader — searches for a _index.js payload along the paths in sys.path instead of bundling it directly into the distribution (wheel)

Separating the loader and the payload, in Socket’s assessment, significantly complicates detection via static analysis, since each component looks less suspicious on its own. In addition, analysis of the Miasma payload revealed the ability to trigger automatic code execution when a repository is opened in an IDE or in AI-enabled development tools.

Of particular note is a technique discovered in bioinformatics packages for bypassing AI scanners: an adversarial prompt injection is embedded into JavaScript block comments, capable of misleading automated analysis systems and AI assistants used by analysts. This technique was previously described by StepSecurity researchers.

Affected packages

The campaign covers three categories of malicious packages: bioinformatics libraries, AI- and Model Context Protocol (MCP)-themed packages, and typosquatting clones of popular libraries. According to researchers, the full list of compromised versions is as follows:

• Bioinformatics: dreamgen 1.8.1, embiggen 0.11.97, ensmallen 0.8.101, gpsea 0.9.14, phenopacket-store-toolkit 0.1.7, ppkt2synergy 0.1.1, pyphetools 0.9.120
• AI and MCP: instructor-mcp 1.15.2/1.15.3, langchain-core-mcp 1.4.2/1.4.3, openai-mcp 2.41.1/2.41.2, ray-mcp-server 0.2.1, tiktoken-mcp 0.13.1/0.13.2
• Typosquatting and other: rsquests 2.34.3 (mimicking requests), tlask 3.1.4 and rlask 3.1.7 (mimicking flask), mem8 6.0.1, mflux-streamlit 0.0.3/0.0.4, orchestr8-platform 3.3.2

The choice of targets is not accidental. Bioinformatics libraries are used in scientific workflows — graph learning, patient phenotyping, and working with phenopackets. MCP-themed packages exploit the growing interest in integrating language models with external tools. Typosquatting packages are designed to capitalize on typos when installing via pip install.

Impact assessment

Regardless of the delivery method, the ultimate goal of the malicious code is the same: collecting secrets (tokens, API keys, credentials) from developer workstations and CI/CD environments, followed by exfiltration to a public GitHub repository. This creates a cascading risk: compromised secrets open access to production systems, cloud infrastructure, and internal services of organizations.

The highest-risk groups are:

• Scientific and research organizations that use Python bioinformatics libraries
• Development teams experimenting with MCP and language model integrations
• Any projects that install dependencies automatically without hash verification

Response recommendations

1. Check your dependencies: audit your requirements.txt, pyproject.toml and lock files for the presence of the listed packages and versions. Use pip list and pip show <package> to verify installed versions.
2. Rotate secrets: if any of the specified packages has ever been installed in your environment, immediately change all tokens, API keys and credentials accessible from that environment, including CI/CD secrets.
3. Review Microsoft repositories: if you have cloned or used Microsoft open-source projects from GitHub in recent weeks, wait for an official notification from Microsoft or check the status of the specific repositories.
4. Strengthen dependency control: enforce hash verification of packages during installation (pip install --require-hashes), use software composition analysis (SCA) tools, and restrict automatic installation of unverified packages in CI/CD.
5. Check for .pth files and .abi3.so: in your Python virtual environments, search for suspicious .pth files and native .abi3.so extensions that may have been installed by malicious packages.

As Socket researcher Kirill Boychenko noted, the Hades branch of the Shai-Hulud and Miasma campaign represents a rapidly evolving supply-chain attack rather than an isolated incident involving a single package. The separation of loader and payload in the langchain-core-mcp variant demonstrates that attackers are deliberately adapting their methods to evade existing detection tools. The top priority is to audit dependencies and rotate all secrets in environments where any of the listed packages may have been installed.