Microsoft and GitHub temporarily disabled at least 70 open-source repositories in June 2026 after researchers discovered that attackers had planted credential-stealing malware in projects tied to AI coding tools. The breach targeted developer passwords, authentication tokens, and session cookies — the digital keys that grant access to cloud infrastructure, internal systems, and proprietary codebases.
TL;DR: Microsoft and GitHub pulled over 70 repositories offline after attackers injected credential-stealing malware into open-source projects used by AI developers. The malicious code harvested passwords, session tokens, and authentication credentials from developer machines, prompting an emergency takedown and ongoing investigation.
What Happened to Microsoft’s Open-Source GitHub Repositories?
Microsoft and GitHub temporarily disabled at least 70 Microsoft-linked open-source repositories after researchers reported that attackers planted credential-stealing malware in projects tied to AI coding tools. The takedown occurred in early June 2026, with Microsoft confirming that an active investigation was underway to determine the full scope of the compromise and how many developers may have been affected.
The affected repositories were part of Microsoft’s broader open-source ecosystem — projects that developers freely clone, fork, and integrate into their own workflows. According to TechCrunch, which first reported the incident, the malicious code was specifically designed to harvest credentials from machines used by developers building AI applications. Microsoft moved quickly to restrict access to the compromised repositories once the intrusion was identified, preventing further downloads of the tampered code.
This was not a small-scale operation. The attackers targeted dozens of projects simultaneously, suggesting a coordinated effort rather than an opportunistic single-repo defacement. The scale of the takedown — over 70 repositories — indicates that the attackers had either compromised a shared access mechanism or exploited a systemic vulnerability across multiple projects. Microsoft has not yet disclosed the exact timeline of the intrusion, but the company confirmed that the affected repositories would remain offline until they could be fully audited and restored to a clean state.
Why does this matter? Open-source supply chain attacks have become one of the most effective vectors for compromising developer ecosystems. By injecting malicious code into trusted repositories, attackers can ride the credibility of major organizations like Microsoft to distribute malware to thousands of downstream users who would never suspect a legitimate Microsoft project of being compromised.
How Did Attackers Compromise the Repositories?
The exact initial access vector has not been publicly disclosed by Microsoft or GitHub as of the reporting date. However, security researchers familiar with similar supply chain attacks have pointed to several plausible methods the attackers may have used to gain write access to Microsoft’s repositories. The most likely scenarios include compromised developer credentials, stolen personal access tokens (PATs), or exploitation of misconfigured repository permissions that allowed unauthorized code pushes.
Supply chain attacks on GitHub repositories typically follow a recognizable pattern. An attacker first gains access to an account with commit privileges — either by phishing a maintainer, stealing an access token from a compromised machine, or exploiting an OAuth application with overly broad permissions. Once inside, the attacker injects malicious payloads into existing code files or adds new dependencies that execute during the build process. The changes are often subtle enough to avoid immediate detection, especially in large repositories with frequent commits from multiple contributors.
In this specific incident, the attackers appear to have been deliberate and methodical. Rather than targeting a single high-profile project, they planted malware across more than 70 repositories, which suggests they had sustained access and took time to distribute the malicious code broadly. The coordinated nature of the attack raises questions about whether the attackers exploited a shared infrastructure component — such as a common CI/CD pipeline, a shared authentication mechanism, or a compromised automation tool — that provided access to multiple repositories simultaneously.
GitHub’s audit logs and commit history will be critical for investigators reconstructing the attack timeline. Microsoft has not confirmed whether the compromised repositories shared common maintainers or whether the access was gained through a single point of failure. The company has also not ruled out the possibility that an insider threat contributed to the breach, though external attack vectors remain the more probable explanation given the pattern observed in similar incidents.
Could this have been prevented with stricter access controls? Many security experts argue that large open-source projects need mandatory multi-factor authentication for all contributors, branch protection rules that require code review before merging, and automated scanning of commits for known malicious patterns.
What Kind of Malware Was Planted in the Code?
The malware planted in Microsoft’s compromised repositories was specifically designed to steal credentials from developer machines. According to multiple reports, the malicious code targeted passwords, session tokens, authentication cookies, and other sensitive credentials stored on the local systems of developers who cloned or built the affected projects. The credential-harvesting functionality was tailored to extract data from browser storage, SSH key directories, configuration files, and environment variables commonly used in AI development workflows.
The malware operated by embedding itself into the build process or runtime execution of the affected projects. When a developer cloned an infected repository and ran the build commands — a routine step in any development workflow — the malicious code would execute silently in the background. It would then scan the developer’s machine for stored credentials, collect them, and exfiltrate the data to attacker-controlled servers. The stealthy nature of the payload meant that many developers may have been infected without realizing anything was wrong, since the primary functionality of the compromised projects continued to work as expected.
This type of credential-stealing malware is particularly dangerous in the context of AI development. AI engineers frequently work with cloud-based GPU clusters, API keys for large language model services, and access tokens for proprietary datasets. A single compromised developer machine could expose credentials worth thousands of dollars in cloud compute costs or provide access to proprietary training data and model weights. The attackers clearly understood the value of the targets they were going after — the malicious code was not generic spyware but was specifically crafted to target the tools and environments used by AI developers.
The sophistication of the malware suggests the attackers had prior knowledge of AI development workflows. They knew which files to target, which environment variables to scrape, and which credential stores to access. This level of specificity indicates either extensive reconnaissance or prior experience with developer tooling and cloud infrastructure.
Who Was the Primary Target of This Attack?
The primary targets of this attack were developers building AI applications and working with AI coding tools. The malicious code was specifically planted in repositories that AI developers would be likely to clone, fork, and integrate into their development environments. By targeting this specific group, the attackers aimed to steal credentials that would grant access to AI-related infrastructure — cloud compute resources, model training pipelines, API keys for large language model services, and proprietary datasets used in machine learning workflows.
AI developers represent an unusually high-value target for credential thieves. These engineers routinely have access to expensive cloud resources — GPU clusters that can cost thousands of dollars per hour to operate — as well as API keys for services like OpenAI, Anthropic, and Google Cloud that can be resold or abused for unauthorized usage. Compromised AI developer credentials could also provide access to proprietary model weights, training data, and research intellectual property that would be valuable to competitors or nation-state actors.
The attackers’ choice to target Microsoft’s open-source ecosystem was strategic. Microsoft maintains some of the most widely used developer tools and frameworks in the industry, and its GitHub repositories are trusted by millions of developers worldwide. By compromising Microsoft-hosted projects rather than obscure or unknown repositories, the attackers were able to leverage that trust to maximize the number of potential victims who would willingly download and execute the malicious code without suspicion.
Were any specific organizations or companies targeted, or was this a broad dragnet? Based on available reporting, the attack appears to have been a broad targeting of the AI developer community rather than a focused operation against specific companies. However, the credentials harvested from individual developers could have provided lateral access to corporate networks and proprietary systems, making the downstream impact potentially much larger than the initial victim count would suggest.
Which Microsoft Projects Were Affected?
Microsoft has not published a complete list of the affected repositories as of the reporting date. The company confirmed that at least 70 repositories were taken offline as a precautionary measure, but specific project names have not been disclosed. What is known from reporting is that the compromised repositories were tied to projects used by developers working with AI tools and frameworks — projects that would naturally attract AI engineers looking for utilities, libraries, and sample code to accelerate their development workflows.
The decision to withhold the full list of affected projects may be motivated by ongoing investigation concerns. Microsoft is likely working to identify all compromised code paths, notify affected developers, and ensure that the malicious payloads have been fully removed before restoring public access. Publishing the list prematurely could tip off the attackers about what investigators have discovered, or it could cause panic among developers who may have cloned affected repositories weeks or months before the breach was detected.
What developers should do immediately is check their recent GitHub activity for any clones or forks of Microsoft repositories, review their credential stores for unusual access patterns, and rotate any passwords or tokens that may have been exposed. Even if specific project names have not been disclosed, any developer who interacted with Microsoft open-source projects in recent months should consider themselves potentially affected and take proactive steps to secure their credentials and audit their development environments for signs of compromise.
How Did Microsoft and GitHub Respond?
Microsoft and GitHub temporarily disabled at least 70 Microsoft-linked open-source repositories after researchers reported that attackers planted credential-stealing malware in projects tied to AI development tools. The takedown occurred rapidly once the malicious code was identified, with both companies coordinating to restrict access before further developer credentials could be harvested. Microsoft confirmed it launched an active investigation into the scope of the breach.
The response followed a standard incident-handling protocol. Repositories were pulled offline, commit histories were frozen, and affected projects were flagged for manual review. GitHub’s security team worked alongside Microsoft engineers to trace the injected malware across the 70+ repositories. Could this response have come faster? That question remains under debate among security researchers monitoring the situation.
Microsoft also began notifying developers who had cloned or forked the compromised repositories prior to the takedown. These notifications included instructions for checking local environments for signs of credential theft. GitHub added security advisories to the affected project pages, warning users not to run code downloaded from those repositories during the exposure window.
The company has not yet disclosed how long the malicious code was present before detection. However, sources indicate the malware was designed to activate upon execution of specific build scripts, suggesting the attackers intended to remain undetected for as long as possible. Microsoft stated it would share more details once the investigation concludes.
What Should Developers Who Used These Repositories Do Now?
Developers who cloned, forked, or directly used any of the 70+ affected Microsoft open-source repositories should immediately rotate all credentials that were present on the same machines where the code was executed. This includes API keys, OAuth tokens, SSH keys, and passwords stored in credential managers or environment variables that the malware could have accessed. The malware was specifically designed to target credentials used by AI coding tools and services.
The first step is identifying whether any affected repository was used in your development environment. Microsoft published a list of the disabled repositories, and developers should cross-reference their local projects and CI/CD pipelines against this list. If a match exists, assume compromise. Don’t wait for confirmation.
After rotating credentials, developers should audit their recent activity logs across all connected services. Look for unauthorized access patterns, unfamiliar API calls, or suspicious login locations. Pay special attention to AI-related services like OpenAI, Anthropic, or Azure AI endpoints, since the malware was tailored to extract credentials from these platforms specifically.
Security researchers recommend running a full malware scan on any machine that executed code from the compromised repositories. Standard antivirus tools may not catch the malicious payloads, since they were embedded within legitimate-looking build scripts. Using specialized tools designed to detect supply chain attacks would be prudent. Are your CI/CD pipelines clean? You should verify that too.
Finally, developers should monitor Microsoft’s security advisories and the GitHub Security Lab blog for updates. As the investigation progresses, Microsoft may release additional guidance, including specific indicators of compromise that can help identify whether credentials were actually exfiltrated.
How Does This Attack Compare to Other Supply Chain Incidents?
This breach shares core characteristics with several high-profile supply chain attacks from recent years, though the targeting of AI developer credentials represents a notable evolution in attacker focus. The technique of injecting malicious code into trusted open-source repositories mirrors the approach seen in the XZ Utils backdoor incident and the Codecov bash uploader compromise, where attackers modified widely-used tooling to steal sensitive data from downstream users.
What distinguishes this attack is its specificity. The malware was not designed as a general-purpose credential harvester. It was built to target developers working with AI tools and services, reflecting the growing value of AI-related credentials on underground markets. API keys for large language model services can fetch significant prices because they provide access to computational resources that attackers can exploit for their own purposes.
The scale also differs from some earlier incidents. With 70+ repositories compromised simultaneously, the blast radius is substantial. However, compared to incidents like the SolarWinds Orion compromise, which affected thousands of organizations, the direct impact appears more contained. The affected repositories were specifically Microsoft open-source projects, which limits the pool of potentially exposed developers to those using those particular tools.
A comparison table helps illustrate how this incident stacks up:
| Incident | Year | Method | Target | Repositories Affected |
|---|---|---|---|---|
| Microsoft GitHub Breach | 2026 | Malware injection | AI developer credentials | 70+ |
| XZ Utils Backdoor | 2024 | Compromised maintainer | SSH authentication | 1 |
| Codecov Bash Uploader | 2021 | Modified CI script | CI/CD credentials | 1 |
| SolarWinds Orion | 2020 | Build system compromise | Government & enterprise | N/A |
| ua-parser-js | 2021 | Account takeover | Cryptominer deployment | 1 |
The table shows that while the number of compromised repositories is higher than most prior incidents, the attack followed a familiar playbook. The innovation lies in the target selection, not the methodology.
What Does This Breach Reveal About Open-Source Security?
This incident exposes fundamental weaknesses in how the software industry trusts and verifies code from even the most reputable sources. Microsoft is one of the largest contributors to open-source software globally, and its repositories are generally considered among the most trustworthy on GitHub. When attackers can compromise 70+ Microsoft-maintained repositories, it signals that the trust model underlying open-source consumption has structural vulnerabilities that current safeguards do not adequately address.
The breach highlights that repository maintainainer accounts themselves are high-value targets. If an attacker can gain access to a maintainer’s GitHub credentials or exploit a vulnerability in GitHub’s infrastructure, the downstream effects are massive. Every developer who clones that code implicitly trusts the source, rarely verifying that the code matches what they expect. This trust is exactly what the attackers exploited.
Open-source security relies heavily on community vigilance and transparency. But when malicious code is inserted into repositories managed by a corporation like Microsoft, the assumption is that institutional controls provide an additional layer of protection. This incident proves that assumption wrong. Institutional oversight did not prevent the breach, and the malicious code persisted long enough to potentially affect many developers before detection.
The attack also underscores the risks of executing build scripts and dependency installers without thorough review. Modern development workflows encourage rapid iteration, often at the expense of security review. Developers routinely run npm install, pip install, or execute build scripts without examining the underlying code. This convenience creates an attack surface that supply chain attackers are increasingly targeting.
Can Similar Attacks Be Prevented in the Future?
Preventing similar attacks requires changes at multiple levels of the software supply chain, from individual developer practices to platform-level security controls. No single measure can fully eliminate the risk of supply chain compromises, but layered defenses can significantly reduce the likelihood and impact of such incidents.
At the platform level, GitHub and other code-hosting services could implement stricter commit verification requirements for organizations managing large numbers of repositories. Requiring multi-factor authentication for all maintainainer accounts, enforcing signed commits, and adding automated scanning for suspicious code patterns could help catch malicious injections before they reach downstream users.
For organizations like Microsoft that maintain dozens or hundreds of open-source projects, implementing continuous monitoring of repository integrity is essential. This includes automated diff analysis between expected and actual repository states, anomaly detection for unusual commit patterns, and regular security audits of build scripts and dependency configurations.
Developers themselves must adopt more cautious practices when consuming open-source code. The following steps can reduce individual exposure:
- Verify repository ownership and maintainer identity before cloning
- Review build scripts and install hooks before executing them
- Use isolated environments for building and testing unfamiliar code
- Rotate credentials regularly, especially high-value API keys
- Monitor service activity logs for unauthorized access attempts
- Pin dependencies to specific, verified commit hashes rather than branch heads
- Use lockfiles to detect unexpected changes in dependency trees
- Subscribe to security advisories for all major dependencies in your projects
- Implement network egress controls to catch unexpected data exfiltration
- Consider using reproducible builds to verify that compiled artifacts match expected outputs
None of these measures are foolproof on their own. But together, they create multiple barriers that attackers must overcome, increasing the cost and complexity of mounting a successful supply chain attack.
Frequently Asked Questions
How many repositories did Microsoft disable after the breach?
Microsoft and GitHub temporarily disabled at least 70 Microsoft-linked open-source repositories following the discovery of credential-stealing malware. The repositories were pulled as a precautionary measure while the investigation into the full scope of the compromise continues.
Were any Microsoft-internal systems compromised in this attack?
Based on available reporting, the attack targeted public open-source repositories on GitHub rather than Microsoft’s internal development infrastructure. Microsoft has not disclosed whether any internal systems were affected, but the malware appeared focused on harvesting credentials from external developers who used the compromised repositories.
Is it safe to use Microsoft open-source projects on GitHub right now?
Microsoft has restored access to repositories that passed its security review, but developers should exercise caution with any code cloned during the exposure window. Checking Microsoft’s official security advisories and the GitHub Security Lab for project-specific guidance is strongly recommended before resuming use of any previously affected repository.
What specific credentials were the attackers trying to steal?
The malware was designed to steal passwords and credentials specifically from developers using AI coding tools and services. This includes API keys for AI platforms, authentication tokens, and potentially SSH keys or other credentials stored on developer machines that executed the compromised code.
Summary
The breach of 70+ Microsoft open-source GitHub repositories represents a significant supply chain attack with clear implications for the broader developer community:
- Scale and targeting: Attackers compromised over 70 repositories to plant malware specifically designed to harvest AI developer credentials, reflecting the growing value of AI-related access on underground markets.
- Response speed matters: Microsoft and GitHub acted quickly to disable affected repositories, but the exposure window before detection remains unknown, meaning developers who used these projects should take immediate protective action.
- Trust is a vulnerability: The incident proves that even code from major corporations like Microsoft cannot be blindly trusted, and developers must verify before executing build scripts or installing dependencies.
- Supply chain attacks are evolving: The targeting of AI developer credentials marks a shift from general-purpose credential theft toward specialized, high-value targets that reflect current technology trends.
- Layered defense is essential: Preventing future incidents requires platform-level controls, organizational vigilance, and individual developer practices working together to reduce the attack surface.
If you cloned or forked any Microsoft open-source repositories recently, rotate your credentials now and audit your environment for signs of compromise. Stay informed by following Microsoft’s security advisories and the GitHub Security Lab blog as this investigation develops.