Microsoft shuts down dozens of compromised GitHub repositories after hackers target AI developers to steal passwords and cloud tokens.
The global scramble to deploy artificial intelligence models has introduced a highly lucrative new target for international cybercriminals: the AI developers themselves. In a startling reminder of the vulnerabilities embedded within modern software supply chains, hackers have successfully infiltrated a series of open-source projects hosted by Microsoft on GitHub. The compromised repositories were meticulously altered to deliver password-stealing malware explicitly engineered to siphon credentials, API keys, and cloud tokens from software engineers.
As reported by TechCrunch, Microsoft was forced to take immediate, drastic action by shutting down dozens of public code repositories associated with its Azure and AI coding ecosystems. The sweeping cleanup operation highlights a tactical shift in the cyber threat landscape, where bad actors are shifting focus from attacking localized enterprise servers to poisoning the upstream tools that developers trust blindly.
The attack chain represents a classic, highly targeted supply chain intrusion. By exploiting compromised maintainer accounts or executing sophisticated social engineering maneuvers, the threat actors injected malicious, obfuscated code directly into the installation files of popular, public developer tools.
When an unsuspecting AI researcher or data scientist cloned the affected repository or installed the package into their local workstation, the software appeared to function normally. Behind the scenes, however, the hijacked installer quietly dropped an advanced information-stealing payload.
According to threat intelligence disclosures by Microsoft Security, these malvertising and repo-poisoning campaigns have expanded with alarming velocity throughout early 2026. The injected malware bypasses traditional security tools by utilizing legitimate, valid code-signing certificates, effectively tricking both the underlying operating system and local security protocols into verifying the application as completely safe.
The OpenSSF AI Security Threats Analysis video outlines the critical vulnerabilities that open-source maintainers face, detailing how automated coding practices and dependency confusion are actively weaponized by modern threat actors to compromise software repositories.
The underlying objective of this campaign reaches far beyond stealing standard personal email passwords or social media credentials. The malware was intentionally designed to sweep local environments for highly sensitive corporate infrastructure data:
-
Cloud Identity Harvesting: The infostealer actively scrapes developer environments and CI/CD (Continuous Integration/Continuous Deployment) runners to intercept Azure, AWS, and Google Cloud platform access tokens.
-
Proprietary Model Access: By targeting AI developers, hackers successfully acquired proprietary OpenAI, Anthropic, and Hugging Face API tokens, granting them free, unmonitored compute resources and exposure to private data models.
-
Persistent Local Access: The software establishes deeply hidden registry keys that mimic official Windows Security components, allowing the infection to survive system reboots undetected.
This deliberate focus on developer identities mirrors broader industry anxieties surrounding the “Miasma” worm and other self-replicating scripts tearing through open-source registries, as detailed by Cloudsmith. Once an attacker gains control of an active developer’s authenticated workstation, they can easily pivot deeper into live enterprise networks, manipulate proprietary enterprise codebases, or trigger massive data leaks.
The incident arrives at a precarious moment for software development security. As organizations rush to integrate automated generative platforms, engineering teams are increasingly turning to open-source components without conducting exhaustive code audits. Security maintainers warning against the rise of unverified coding practices emphasize that accepting automated code suggestions without structural review creates vast, unpatched vulnerabilities that threat actors are highly eager to exploit.
Microsoft has since revoked the affected code-signing certificates and completely purged the compromised repositories from GitHub’s index to stall the infection wave. However, for the global development community, the breach serves as an urgent reminder: in the high-stakes race for artificial intelligence supremacy, the tools used to build the future are only as secure as the infrastructure protecting their code.
