Microsoft Hacked To Deliver Malware To Claude and Gemini Users (404media.co)
(Tuesday June 09, 2026 @05:00PM (BeauHD)
from the highly-unusual dept.)
- Reference: 0183716928
- News link: https://it.slashdot.org/story/26/06/09/1657218/microsoft-hacked-to-deliver-malware-to-claude-and-gemini-users
- Source link: https://www.404media.co/microsoft-hacked-to-deliver-malware-to-claude-and-gemini-users/
An anonymous reader quotes a report from 404 Media:
> Microsoft has shut down a wave of its own repositories on GitHub, including those related to Azure and AI coding agents, as it investigates a data breach, according to research from cybersecurity researchers and a statement given to 404 Media by Microsoft. Hackers [1]planted malware that would harvest peoples' credentials when they opened it in AI coding tools like Claude Code or Gemini CLI, according to one set of researchers. The exact contours of the breach are unclear, but researchers say Microsoft has disabled more than 70 of its own repositories, and pointed to a particular package that was previously compromised.
>
> Last week, cybersecurity website [2]OpenSourceMalware.com , which acts as a clearing house for indicators of supply chain attacks so defenders can secure their own networks, and which also publishes its own write-ups, wrote about the mass disabling of Microsoft GitHub repositories. "GitHub disabled 73 Microsoft repositories across four of its GitHub organizations -- the entire Azure Functions org, the whole Durable Task family, and a row of AI sample apps -- in a 105-second sweep on June 5," the website [3]wrote on Friday. Is it very unusual for any company, let alone Microsoft, to disable so many of its own repositories in one go. They include 49 related to Azure, Microsoft's cloud computing arm, and some concerning AI agents. The shutdown repositories also include ones related to durabletask, a Microsoft development tool.
>
> Researchers from StepSecurity [4]wrote on Friday that the GitHub closures came after a malicious commit was pushed to the durabletask repository. That attack planted configuration files that would harvest peoples' credentials when they opened the repository in Claude Code, Gemini CLI, Cursor, or VS Code, StepSecurity wrote.
Microsoft said in a statement: "Our priority is to protect customers and the broader ecosystem. We temporarily removed some repositories as we investigated potential malicious content. Some of these repos have been restored after review, while others may remain offline while work continues. As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels."
[1] https://www.404media.co/microsoft-hacked-to-deliver-malware-to-claude-and-gemini-users/
[2] http://opensourcemalware.com/
[3] https://opensourcemalware.com/blog/miasma-reaches-azure
[4] https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents
> Microsoft has shut down a wave of its own repositories on GitHub, including those related to Azure and AI coding agents, as it investigates a data breach, according to research from cybersecurity researchers and a statement given to 404 Media by Microsoft. Hackers [1]planted malware that would harvest peoples' credentials when they opened it in AI coding tools like Claude Code or Gemini CLI, according to one set of researchers. The exact contours of the breach are unclear, but researchers say Microsoft has disabled more than 70 of its own repositories, and pointed to a particular package that was previously compromised.
>
> Last week, cybersecurity website [2]OpenSourceMalware.com , which acts as a clearing house for indicators of supply chain attacks so defenders can secure their own networks, and which also publishes its own write-ups, wrote about the mass disabling of Microsoft GitHub repositories. "GitHub disabled 73 Microsoft repositories across four of its GitHub organizations -- the entire Azure Functions org, the whole Durable Task family, and a row of AI sample apps -- in a 105-second sweep on June 5," the website [3]wrote on Friday. Is it very unusual for any company, let alone Microsoft, to disable so many of its own repositories in one go. They include 49 related to Azure, Microsoft's cloud computing arm, and some concerning AI agents. The shutdown repositories also include ones related to durabletask, a Microsoft development tool.
>
> Researchers from StepSecurity [4]wrote on Friday that the GitHub closures came after a malicious commit was pushed to the durabletask repository. That attack planted configuration files that would harvest peoples' credentials when they opened the repository in Claude Code, Gemini CLI, Cursor, or VS Code, StepSecurity wrote.
Microsoft said in a statement: "Our priority is to protect customers and the broader ecosystem. We temporarily removed some repositories as we investigated potential malicious content. Some of these repos have been restored after review, while others may remain offline while work continues. As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels."
[1] https://www.404media.co/microsoft-hacked-to-deliver-malware-to-claude-and-gemini-users/
[2] http://opensourcemalware.com/
[3] https://opensourcemalware.com/blog/miasma-reaches-azure
[4] https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents
It's malturtles all the way down (Score:3, Funny)
by Tablizer ( 95088 )
"How dare they put their malware into our malware!"
Exact contours are important! (Score:4, Funny)
by Slayer ( 6656 )
> The exact contours of the breach are unclear
I would say, that the "exact countours" start with a big capital M, followed by a lower case i, a lower case c ...
Re: (Score:3)
by Himmy32 ( 650060 )
Microsoft is to blame in several ways but not because it was their repos that got targeted here. Not fixing NPM script execution behavior after Shai Halud is really still the cardinal sin. But they also have some mistakes in how unsandboxed VS Code extensions / GitHub Actions are, ignoring the feature request for auto-update delays for VS code extensions, and now allowing auto execute tasks in VS Code.
Oh Noes!!! (Score:1)
by Rhaize ( 626145 )
The /. comment reply agent I built is infected? drat..
clickbait slop (Score:4, Interesting)
This exploit targets IDEs, not AI. It's essentially the same old "autorun.inf" exploit from Windows 95 but updated for IDEs. You'll get infected with plain VS Code and no AI use at all. It also requires your system already be infected with node.js.
Re: (Score:2)
Lol, looks like we are all going to need to revert to gcc 2.95 and/or Turbo C to prevent these supply chain and tool chain attacks. I'm game. I guess you C++ guys can go back to Codewarrior :-) Everyone wins.
Re: (Score:1)
I don't know, having any file with a script extension parse for the word "autorun" then execute any path in that file as root....? That's hard to top. .
Re: (Score:3)
The hijacked repo set tasks for Claude, Gemini, Cursor, and VS Code settings. So saying AI coding tools is correct but incomplete to not mention IDEs for just VS Code.
And what scripting language was executed isn't really the direct problem, could have been Python called with a bad .py script.
Not to let Microsoft off the hook though for not fixing NPM script execution behavior after the original Shai Halud, which has allowed this whole new terrible campaign. Since almost assuredly at some point along the way