On Hacker News
Microsoft's open source tools were hacked to steal passwords of AI developers
295
points
121
comments
1
notable voices
The 5-second version
- Microsoft disabled at least 70 GitHub repositories after hackers injected password-stealing malware into open source projects used for AI development with tools like Claude Code, Gemini CLI, and VS Code.
- The malware stole passwords and sensitive credentials when developers opened compromised tools in their AI coding applications, constituting a supply chain attack.
- This marks Microsoft's second known breach of its open source projects in weeks, following a mid-May compromise of the Durable Task project, with the latest incident possibly being a re-compromise.
- Microsoft has restored some repositories after review but others remain offline, and the company notified a small number of customers who may have downloaded affected content.
- Developers should verify repository integrity before pulling open source code, especially from high-profile targets, and monitor for direct communications from Microsoft regarding potential exposure.
Top voices
Verbatim comments from the thread's most notable / highest-karma participants.
I haven’t worked on any web app in months, I don’t use LLMs, I update my Linux system once a month, and I increasingly feel I should just not do anything, not install or update any software and for the love of God, do not touch anything that’s shipped with npm. Most of my userspace apps are in Flatpak sandboxes (yeah they are not great), but otherwise it feels like isolation and airgapping is the most sensible solution for now, and it’ll get increasingly worse unless the vibe coders somehow lea…Read on HN ↗
shakna15.3k karma
You mean the company that failed their 2023 security review? [0] > Individually, any one of the failings described above might be understandable. Taken together, they point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security. Microsoft’s products and services are ubiquitous. It is one of the most important technology companies in the world, if not the most important. This position brings with it utmost and global responsibilities. It…Read on HN ↗
> steal passwords of AI developers What does this even mean? The malware specifically steals passwords from developers who use AI? From those who develop AI tool? Or it steals API tokens, which serve a similar function as passwords do for humans? Is this what journalism looks like today? Just slap the two holy letters on the title and you get views? (Yes, I read the article. No, I still don't think the title makes sense. You can skip this techchurch slop and read the real information here: h…Read on HN ↗
JdeBP8.5k karma
These seem related: * https://news.ycombinator.com/item?id=48418318 (The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds) * https://news.ycombinator.com/item?id=48450543 (Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents) * https://news.ycombinator.com/item?id=48416155 * https://news.ycombinator.com/item?id=48416269 (Miasma Worm Targets AI Coding Agents via GitHub Repos)Read on HN ↗