\n<\/p>\n
Microsoft has cut off access to dozens of its open-source projects hosted on GitHub as it investigates how hackers apparently breached the projects and injected password-stealing malware into the code.<\/p>\n
Many of the affected projects relate to Microsoft\u2019s cloud service Azure and other tools used by developers to code with AI development apps, such as Claude Code, Gemini\u2019s command line interface, and VS Code.<\/p>\n
According to security firm Cloudsmith<\/a> and community-driven malware analysis site OpenSourceMalware<\/a>, who were some of the first to flag the hack, the malware allowed the hackers to steal the user\u2019s passwords and other sensitive credentials when they opened the compromised tools in their AI coding apps.<\/p>\n It\u2019s not immediately known how many people have downloaded the affected tools.<\/p>\n Microsoft confirmed it pulled the repos, as first reported by 404 Media<\/a>. A Microsoft spokesperson acknowledged receipt of our email, but did not immediately comment.<\/p>\n At least 70 projects belonging to Microsoft have been \u201cdisabled,\u201d per a message loading when trying to access the projects\u2019 pages on GitHub, a code-hosting site that Microsoft owns. \u201cAccess to this repository has been disabled by GitHub Staff due to a violation of GitHub\u2019s terms of service.\u201d<\/p>\n This is the latest example in recent months<\/a> of hackers breaching widely popular open-source projects with the aim of planting malware on a large number of users who have the code installed on their computers. These hacks are known as \u201csupply chain\u201d attacks as they target code that is often used in a large number of software products, or by a specific kind of user, which may be advantageous to hack as they sometimes have access to cloud systems and large amounts of customers\u2019 data.<\/p>\n While it\u2019s not uncommon for sole developers of open source projects to be targeted by hackers \u2014 in some cases as part of long-running efforts to gain the trust of the developer<\/a> \u2014 it is rare for large tech giants like Microsoft, which have the resources to defend against these kinds of attacks, to get breached..<\/p>\n This is Microsoft\u2019s second known breach over the past few weeks that has allowed hackers to compromise its open-source projects, per Ars Technica<\/a>. In mid-May, security researchers said that Microsoft\u2019s open source project Durable Task, a tool that helps developers build apps, was hacked. OpenSourceMalware said that Microsoft\u2019s latest incident is a \u201cre-compromise\u201d of the Durable Task project, suggesting that Microsoft may not have eradicated the hackers on its first attempt or an entirely new, distinct breach.<\/p>\n<\/div>\n When you purchase through links in our articles, we may earn a small commission<\/a>. This doesn\u2019t affect our editorial independence.<\/em><\/p>\n