Microsoft's open source tools were hacked to steal passwords of AI developers (techcrunch.com)

Microsoft has suspended access to numerous open source projects hosted on GitHub after discovering a breach that allowed hackers to inject password-stealing malware into the code. The affected projects primarily relate to Microsoft Azure and tools used for AI development, such as Claude Code and VS Code. Security firms identified that the malware captured users' passwords and other sensitive information when developers interacted with the compromised tools. While the precise number of impacted users remains unclear, Microsoft's response involved temporarily removing several repositories for investigation. This incident highlights significant vulnerabilities in open source software, especially as these attacks increasingly target widely-used projects to exploit trust and access to sensitive data. Supply chain attacks are particularly concerning as they can affect a broad user base, including those with access to major cloud systems. Despite Microsoft’s substantial resources dedicated to security, this marks the second breach of its open source projects in recent weeks, raising questions about the effectiveness of current defenses against sophisticated threats. As Microsoft continues its investigation, the ripple effects of this breach could prompt enhanced security measures across the AI/ML community.