What Happened

Hackers broke into dozens of Microsoft's open source projects hosted on GitHub and injected malware designed to steal passwords and credentials from developers. According to TechCrunch, at least 70 Microsoft repositories were disabled as of June 8, 2026.

The affected projects are NOT obscure side projects. They include tools tied to Microsoft's Azure cloud platform and AI development environments — specifically apps used with Claude Code, Google Gemini's command line interface, and Visual Studio Code. These are tools used by professional developers, every day, at scale.

How the Attack Worked

Security firm Cloudsmith and community malware analysis site OpenSourceMalware were among the first to flag the compromise. When developers opened the infected tools inside their AI coding apps, the malware activated and harvested passwords and other sensitive credentials.

This is a supply chain attack — attackers poison a widely-used tool instead of targeting victims individually. If you downloaded a compromised package, you got infected.

Microsoft's Response

Microsoft spokesperson Ben Hope told TechCrunch the company "temporarily removed some repositories" while investigating "potential malicious content." Hope added that some repos have been restored after review, while others remain offline.

Microsoft has not disclosed how many developers downloaded the infected code. Hope told TechCrunch only that a "small number of customers" were notified.

GitHub — which Microsoft owns — displayed this message on the disabled repositories: "Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service." The framing is technically accurate but misleading. It suggests Microsoft violated its own terms rather than that Microsoft got hacked.

The Security Implications

Supply chain attacks against solo open source developers are common. Hackers sometimes spend months cultivating trust with a maintainer before making their move. A breach at a company the size of Microsoft — with a dedicated security division, billions in cybersecurity spending, and ownership of the platform where the hack occurred — is different.

Microsoft runs GitHub. Microsoft writes the code. Microsoft owns the infrastructure. Hackers still got in and planted malware.

According to TechCrunch, this is Microsoft's second known breach in recent weeks. The outlet didn't detail the first breach in available reporting, but the pattern is significant. Two breaches in quick succession at the world's largest software company suggests a broader problem.

Open Questions

Most tech media coverage is treating this as a standard security incident — company got hacked, company responded, story over. Several critical details remain unanswered:

• How did the hackers get write access to Microsoft's repos? Compromising an open source maintainer account is one thing. Compromising dozens of Microsoft's own repositories requires either stolen credentials at a significant level or an insider.
• Why is Microsoft not disclosing the scope? "A small number of customers" is meaningless without a number. Developers deserve to know if their credentials were exposed.
• What is Microsoft doing differently going forward? Hope's statement was corporate boilerplate. No specifics on remediation, no timeline, no accountability.

404 Media first confirmed Microsoft pulled the repos. TechCrunch followed with the only on-record quote from Microsoft. Most other coverage has rephrased those two sources.

What Developers Should Do

If you used Azure tools, Claude Code integrations, Gemini CLI tools, or VS Code extensions sourced from Microsoft's GitHub repositories in recent weeks — check your credentials now. Change passwords. Rotate API keys. Assume anything your development environment touched could be compromised.

For organizations: the software your developers use is part of your attack surface. Most IT security teams don't have eyes on every npm package or open source dependency engineers pull down. That gap is exactly what attackers exploit.

Microsoft is a $3 trillion company. If their own repos on their own platform can be weaponized against their own customers, smaller organizations cannot assume their software supply chain is secure. The company needs to provide straight answers: how many were affected, how did this happen, and what's fixed.