Microsoft investigates breach of open-source projects after malware injection

TechCrunch reports that Microsoft has temporarily disabled access to dozens of its open-source projects hosted on GitHub as it investigates a security incident where hackers allegedly injected password-stealing malware into the code.

The compromised projects, many of which are related to Microsoft's Azure cloud service and AI development tools, allowed attackers to steal user passwords and sensitive credentials. Security firms Cloudsmith and OpenSourceMalware were among the first to identify the threat. Microsoft confirmed the incident, with spokesperson Ben Hope stating that some repositories have been restored after review, while others remain offline. The company has notified a small number of customers who may have downloaded the affected content. At least 70 Microsoft projects were disabled by GitHub staff for violating terms of service.

This incident is the latest example of a supply chain attack, where hackers target widely used open-source projects to distribute malware. It is rare for large tech companies like Microsoft to be breached in this manner. This marks Microsoft's second known breach of its open-source projects in recent weeks, following a similar incident involving the Durable Task project in May.

Source: TechCrunch