Microsoft's Open Source Projects Compromised in Password-Stealing Malware Attack

Summary

Microsoft has temporarily disabled access to at least 70 of its open source projects hosted on GitHub after discovering they were breached and injected with password-stealing malware. The compromised projects include tools related to Microsoft's Azure cloud service and widely-used AI development applications such as Claude Code, Gemini's CLI, and VS Code. According to security firms Cloudsmith and OpenSourceMalware, the malware was designed to steal users' passwords and other sensitive credentials when the tools were opened within AI coding environments.

The exact scale of the breach remains unclear, with Microsoft confirming it has "temporarily removed some repositories" for investigation and notifying a limited number of potentially affected customers. Some repositories have been restored after review, while others remain offline pending further investigation. This marks the second known breach of Microsoft's open source projects in recent weeks—following the May compromise of the Durable Task project—raising concerns about whether Microsoft adequately eradicated the initial breach or if this represents an entirely separate incident.

The incident exemplifies the growing threat of supply chain attacks targeting open source projects, where attackers compromise widely-used code to gain access to downstream users who often have elevated permissions to cloud systems and customer data. While such attacks typically target individual open source developers, it is relatively rare for major technology companies with substantial security resources like Microsoft to suffer such breaches.

• The incident exemplifies supply chain attacks—a growing threat targeting widely-used code to compromise downstream users with system and cloud access