DocsQuick StartAI News
AI NewsMicrosoft GitHub open-source projects compromised, AI programming tools become major hotspot for data theft
Industry News

Microsoft GitHub open-source projects compromised, AI programming tools become major hotspot for data theft

2026-06-09T05:02:58.433Z
Microsoft GitHub open-source projects compromised, AI programming tools become major hotspot for data theft

Microsoft urgently removed over 70 open-source projects from GitHub after hackers inserted data-stealing malware into code for AI programming tools related to Azure, Claude Code, Gemini CLI, and VS Code. This is the second breach of Microsoft’s open-source repositories within the past month.

Microsoft urgently removes 70 GitHub projects, AI programming tools become new entry point for supply chain attacks

On June 9, Microsoft confirmed it had blocked dozens of open-source projects hosted on GitHub due to hackers implanting malicious programs designed to steal passwords and account credentials into these repositories. Opening these project pages now shows a cold, terse notice: "This repository has been disabled by platform staff due to violation of GitHub's Terms of Service."

A rough count shows at least 70 projects were taken down. Even more striking is their distribution — most are related to Microsoft's Azure cloud services, while the rest are concentrated in toolchains developers use to build AI applications, including the CLI interfaces for Claude Code and Gemini, as well as the VS Code ecosystem. In other words, these weren't obscure, seldom-used libraries — these were tools developers in 2026 run npm install or pip install daily.

Screenshot of Microsoft GitHub repository disabled notice page

How the breach was uncovered

The first to reveal this intrusion were security service provider Cloudsmith and the open-source malware analysis community OpenSourceMalware. Both described essentially the same scenario: when users ran the tampered programs inside AI programming tools, the malicious code silently collected sensitive information from the system — passwords, tokens, cloud service credentials — and sent it back to servers controlled by the attackers.

Tech media outlet 404 Media was first to break the news, and Microsoft later acknowledged the repository takedowns. Microsoft spokesperson Ben Hopper responded cautiously to TechCrunch:

"To investigate potential malicious content, we have temporarily removed some code repositories. After verification, some repositories have been restored, while others will remain offline. The related investigation is still ongoing."

He added that "a small number of users who downloaded affected repository contents" had been notified, but when pressed for the exact number of impacted users, Microsoft gave no answer. This style of response is familiar — most likely it's not just a few, they simply don't want to say.

Why this case deserves special attention: the unique supply chain nature of AI programming tools

Supply chain attack is not a new term. In recent years, from event-stream and ua-parser-js to various hijacked packages on PyPI, we’ve seen such incidents every few months. But this time, the targets chosen by hackers reflect an upgraded understanding of the developer ecosystem.

Consider typical usage scenarios for AI programming tools:

  • They commonly need to access the local file system to read your code, configuration, and .env files
  • They have to store API Keys to call models, meaning there’s always a plaintext or weakly encrypted key locally
  • They often run in agent form, authorized to execute shell commands
  • When developers use them, they’re often already sudo’ed, already logged in to cloud CLIs, already git config --global’ed with their email and token

This is a perfect attack surface. Once a CLI tool is implanted with malicious code, hackers can simultaneously obtain: the developer’s GitHub token, cloud provider credentials, model API Key — and possibly database connection strings. Far more valuable than the Bitcoin wallet-stealing scripts of 2018.

OpenSourceMalware analysis specifically pointed out that many of the malicious payloads in this incident were obfuscated Python/Node scripts disguised as logging or telemetry functions, nearly indistinguishable to ordinary developers.

This is the second breach of Microsoft repositories within a month

The timeline is particularly awkward. In mid-May, security researchers found that Microsoft's open-source Durable Task project targeting developers had been attacked. OpenSourceMalware explicitly stated that in this incident, Durable Task suffered a "second compromise" — meaning Microsoft had not completely cleaned out the backdoor last time, or the attackers retained some persistent access mechanism.

Just a week earlier, late May, Wall Street News reported an even more shocking figure: about 3,800 internal GitHub repositories were breached, triggered by an employee installing a malicious VS Code plugin. Attackers even offered the source code on underground forums for $50,000.

Connecting these three events:

| Date | Event | Entry point | |---|---|---| | Mid-May 2026 | Durable Task project first implanted with malicious code | Not disclosed | | Late-May 2026 | 3,800 internal GitHub repositories stolen | Employee installed malicious VS Code plugin | | Early-June 2026 | 70+ open-source repositories implanted with credential-stealing programs, Durable Task compromised again | Under investigation |

This is not an isolated incident, but a clear attack chain: hackers first enter Microsoft employees’ development environments via plugins or other means, then use this to taint Microsoft's official open-source projects, and finally spread through the supply chain to all developers downloading these projects. In Microsoft’s 8th year owning GitHub, the platform’s trust foundation is being repeatedly shaken.

What developers should do now

For developers reading this article, instead of waiting for Microsoft’s official statement, it’s better to self-check now:

  1. Check dependency update records from the past 30 days. If your project uses azure-*, Claude Code CLI, gemini-cli related SDKs, look at your lockfile for version numbers and release dates.
  2. Rotate keys. GitHub Personal Access Tokens, cloud provider Access Keys, model API Keys — rotate them all, especially those with * scope.
  3. Audit VS Code plugins. This has been the most underestimated attack entry point in all supply chain incidents over the past six months. Disable unused plugins, those not updated for months, and those with installation counts below a certain threshold.
  4. Isolate AI agent execution environments. Run them in containers or devcontainers instead of directly on the host, and use read-only tokens instead of granting write permissions.
  5. Track OpenSourceMalware’s public IOC list, and add known malicious domains to your firewall’s block list.

A note on item 2: many developers store model API Keys directly in ~/.zshrc or the .env file at the project’s root, and malicious scripts can simply cat these to exfiltrate them. After this incident, it’s advisable to at least use keychain, pass, or your cloud provider’s secret manager.

The boom in AI programming tools corresponds to an expansion of attack surfaces

Looking back, 2025–2026 were the years AI programming tools truly went mainstream. The installation growth curves of tools like Claude Code, Gemini CLI, Cursor, and Windsurf almost matched the rise in attention from cybercriminals.

This incident rings a loud alarm for the industry: when a CLI tool holds both “read all source code” and “execute arbitrary commands” privileges, its supply chain security level should match that of financial infrastructure. But in reality, most AI tool release processes are still at the "npm publish then tweet" stage.

Microsoft’s removal of 70 projects is just the beginning. It’s foreseeable that more similar incidents will be exposed in the coming weeks — not because attacks have suddenly increased, but because people are finally paying serious attention to the supply chain column.

Final thoughts

Microsoft, as one of the top-tier security-capable companies in the industry, having its own maintained open-source projects breached twice in a month, in itself serves as a lesson for all developers relying on the GitHub ecosystem. Open source does not equal security auditing, and being hosted under a big tech account does not mean immunity to supply chain attacks.

What can be done now is to depend less on default trust, and be more vigilant with every install. While AI helps you write code, make sure the code it writes isn’t pre-written by someone waiting for you to run it.

References

Related Articles

View All

Contact Us

We usually reply quickly during business hours

Scan WeChat

Support: Hub Assistant

WeChat ID: