What happened
Microsoft temporarily removed at least 70 open-source projects from GitHub after hackers injected password-stealing malware into their code. The compromised repositories, including those related to Azure services and tools used by developers with AI development apps such as Claude Code, Gemini's command-line interface, and VS Code, were flagged by security firms Cloudsmith and OpenSourceMalware. This incident marks the second known breach of Microsoft's open-source projects in recent weeks, including a reported re-compromise of the Durable Task project; the malware allowed credential theft when developers opened affected tools in their AI coding applications.
Why it matters
Supply chain attacks targeting widely used open-source components, even from major vendors, directly threaten developer credentials and cloud system access. Malware embedded within foundational development tools, such as those for AI coding, compromises sensitive data when developers interact with them. This event, following a similar breach of Microsoft's Durable Task project in May, highlights a persistent vulnerability in the software supply chain, eroding trust in essential development infrastructure.
