Microsoft Disables 70+ GitHub Repos After Password-Stealing Malware Injected

Microsoft has disabled access to more than 70 of its open-source projects on GitHub after discovering that hackers injected password-stealing malware into the code repositories. The compromised projects include tools related to Microsoft's Azure cloud platform and development environments commonly used for AI coding applications.

The malware was designed to harvest user passwords and sensitive credentials when developers opened the affected tools in AI coding applications such as Claude Code, Gemini's command line interface, and Visual Studio Code. Security firm Cloudsmith and the community-driven analysis site OpenSourceMalware were among the first to identify and report the breach.

Why it matters

This incident highlights the vulnerability of software supply chains, even at major technology companies with substantial security resources. When widely-used development tools are compromised, the potential blast radius extends to thousands of developers and the applications they build. For organizations relying on open-source components in their AI development workflows, this breach underscores the need for rigorous code verification and security scanning practices, regardless of the source's reputation.

A recurring security problem

This marks the second known breach of Microsoft's open-source projects in recent weeks. In mid-May, security researchers reported that Microsoft's Durable Task project—a tool for building applications—had been hacked. According to OpenSourceMalware, the latest incident represents a "re-compromise" of the Durable Task project, suggesting Microsoft may not have fully removed the attackers during its initial remediation efforts, or that a separate breach occurred.

The exact number of users who downloaded the compromised tools remains unknown. Microsoft confirmed it removed the affected repositories but has not provided additional details about the scope of the breach or its investigation.

Supply chain attacks on the rise

This breach exemplifies a growing trend of supply chain attacks targeting open-source projects. These attacks are particularly effective because compromised code can reach large numbers of users who trust the source. Developers who install malicious packages may inadvertently grant attackers access to cloud systems and sensitive customer data.

While individual open-source maintainers are frequently targeted by hackers—sometimes through elaborate social engineering campaigns designed to build trust over time—breaches at well-resourced technology giants like Microsoft are less common. The incident raises questions about security practices for maintaining open-source projects, even within large organizations.

When attempting to access the disabled repositories, users now see a message stating: "Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service."

These details were first reported by 404 Media. Microsoft acknowledged inquiries about the incident but has not yet provided an official statement.