For the 2nd time in weeks, Microsoft packages laced with credential stealer

Ars Technica AI · Dan Goodin · 2026-06-08

73 cryptographically signed Microsoft open source packages were compromised with credential-stealing malware that activated when developers opened them in AI coding agents, marking the second such supply chain attack on Microsoft packages in weeks.

Open original ↗

Appears in

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment

Extraction

Topics: supply-chain-securitycredential-stealingai-coding-agentsopen-source-securitymicrosoft-security

Claims

73 Microsoft-signed open source packages were found to contain advanced credential-stealing code triggered specifically when developers opened them in AI coding agents.
GitHub's automated systems blocked the packages but characterized the removal as a terms-of-service violation rather than explicitly warning users of malicious content.
Microsoft did not publicly acknowledge the possibility of malicious content until Monday, days after GitHub had already blocked the packages.
Developers who used AI agents to interact with the affected packages should treat their systems as compromised.
This is the second incident of Microsoft packages being laced with malicious code within a matter of weeks.

Key quotes

Rather than noting they are malicious—and that developers who used AI agents to work with them should assume their systems are compromised—the Microsoft-owned GitHub said it disabled the packages 'due to a violation of GitHub's terms of service.'

It wasn't until Monday that Microsoft even raised the possibility the packages were infected.

We have temporarily removed some repositories as we investigate potential malicious content.