Microsoft took down more than 70 open-source GitHub repositories on June 5, 2026, after security researchers uncovered credential-stealing malware embedded deep inside Microsoft-owned projects. The compromised repositories included components used by Azure DevOps, .NET, and various internal toolchains, sparking a frantic scramble to assess the scope of the breach and contain the damage. The malware, a stealthy variant of the notorious RedLine infostealer, was designed to siphon authentication tokens, browser passwords, and SSH keys from developer machines and CI/CD pipelines.

Early forensic analysis pointed to a compromised AI pair-programming assistant as the initial infection vector. Developers at Microsoft and across the broader ecosystem had adopted the AI tool — tentatively identified as a popular GitHub Copilot alternative — which was itself tainted through a supply chain attack on its auto-update mechanism. This allowed attackers to push a poisoned extension update that injected malicious code into any repository where the assistant was active, including dozens of Microsoft’s own public and private repos.

Discovery and Immediate Response

The breach first came to light through an anomaly detection system operated by the cloud security firm Wiz, which noticed unusual outbound network calls from a sanctioned Microsoft Azure DevOps instance. Upon investigation, Wiz's research team found hardcoded malware droppers in several widely forked Microsoft repositories, including azure-sdk-for-net, vscode-iot-workbench, and the microsoft-authentication-library-for-js package. After confirming the malicious payload with Microsoft’s Security Response Center (MSRC), the company disabled access to 74 repositories within hours.

“We identified unauthorized code injection in a subset of our GitHub repositories used for documentation, SDK samples, and internal tooling,” read a hastily published statement from the MSRC. “Out of an abundance of caution, we have temporarily disabled these repos and rotated all potentially exposed credentials.” While Microsoft emphasized that no customer data repositories were affected, the disabled repos often served as dependencies for enterprise CI/CD workflows, causing cascading failures across development teams worldwide.

The decision to take the repos offline rather than simply removing the malicious commits reflects the gravity of the incident. Attackers had embedded the malware in historic commits dating back at least three weeks, meaning that any developer who pulled code during that window could have had their environment compromised. Standard cleanup procedures, such as reverting to a last-known-good commit, were rendered ineffective because the malware also manipulated the Git history to conceal its tracks.

Anatomy of the Malware

Reverse engineering by the Microsoft Threat Intelligence Center (MSTIC) revealed a multi-stage payload triggered by specific build events. The first stage involved a tampered .csproj or package.json file that executed a PowerShell script during project restoration. That script downloaded a secondary payload from a command-and-control server mimicking a legitimate NuGet feed, then installed a rootkit-like hook into the developer’s Git configuration.

The hook intercepted every git push or git pull to exfiltrate any credentials that passed through the local repository, including Azure DevOps personal access tokens (PATs), GitHub tokens, and even environment variables containing cloud API keys. Harvested credentials were encrypted and exhumed via DNS tunneling to bypass network egress filters—a technique that allowed the attackers to remain largely undetected until Wiz’s heuristics flagged the anomalous DNS pattern.

Security analysts noted that the malware contained several anti-forensics features. It would only execute if a genuine Microsoft code-signing certificate was present in the local certificate store, ensuring that it activated exclusively on machines that had previously built Microsoft-signed binaries — a clear indicator that the attackers had deep knowledge of Microsoft’s internal build infrastructure. The malware also checked for the presence of specific virtual machine artifacts to avoid execution in sandboxed analysis environments.

The Role of AI Coding Assistants

Forensic logs from the infected AI coding tool showed that the update channel was compromised between May 12 and May 18, 2026. The AI assistant’s vendor — a mid-sized startup with a growing enterprise user base — confirmed that attackers gained access to its build pipeline through a successful phishing attack on a senior engineer. Once inside, they modified the extension’s manifest to point to a malicious update server, which then pushed the tainted version to approximately 300,000 active users.

Because the AI assistant had broad permissions to read and write repository files (a necessary feature for automated code suggestions), the poisoned update could seamlessly insert the malware hooks into any project a developer was working on. Microsoft’s internal telemetry suggests that at least 15 internal developer workstations were directly infected via this vector, and that these machines subsequently propagated the malicious code to dozens of internal repositories before automated alerts triggered.

The incident underscores the growing risk of AI-powered development tools that operate with elevated privileges. While these assistants can dramatically boost productivity, they also expand the attack surface. “We’re granting incredibly powerful tools write access to our entire codebase, often without rigorous security audits,” said Katie Moussouris, CEO of Luta Security. “This attack shows exactly how a single compromised plugin can cascade into a full-blown supply chain catastrophe.”

Impact on Azure DevOps and Enterprise Pipelines

Microsoft’s Azure DevOps pipeline sits at the heart of many enterprise development workflows. When the affected repositories were abruptly disabled, thousands of automated builds began failing. Teams relying on the azure-sdk-for-net library found their pipelines hanging at restore steps, while others who had pinned specific commit hashes discovered that their builds would still complete — but only after ingesting the compromised code.

Microsoft quickly published a set of workarounds, including temporary alternative URL endpoints for critical SDKs and a script to scan local repositories for signs of tampering. However, these mitigations often required manual intervention, and the company opened a dedicated support channel that fielded over 10,000 queries in the first 24 hours. The outage also delayed several mid-sprint deployments for internal Microsoft products, including an Insider build of Windows 12 that relied on newly compromised authentication libraries.

Beyond the immediate disruption, the credential theft poses a long-term threat. Stolen Azure DevOps PATs and GitHub tokens could grant attackers persistent access to private repositories, CI/CD secrets, and even production deployment pipelines. Microsoft’s Threat Intelligence team tracked the exfiltrated credentials to a series of proxy servers in Eastern Europe and has begun notifying affected organizations whose tokens were observed in the attackers’ exfiltration endpoints.

Microsoft’s Broader Security Response

In addition to disabling the repos, Microsoft initiated a company-wide credential rotation for all GitHub- and Azure DevOps-related tokens, API keys, and certificates. The company also temporarily suspended the compromised AI assistant’s extension from the Visual Studio Marketplace and GitHub’s marketplace, and issued an urgent security advisory (CVE-2026-4172) detailing the indicators of compromise.

The MSRC posted a detailed post-mortem that acknowledged lapses in its repository monitoring tools. “Our existing integrity checks were not designed to detect sophisticated malware that manipulates the Git history itself,” the post-mortem noted. “We are accelerating deployment of behavioral analysis for all repository write actions and enhancing our anomaly detection with AI-driven models that look for patterns consistent with supply chain compromise.”

Microsoft also committed to requiring hardware-backed attestation for all first-party code contributions within six months, ensuring that every commit to a Microsoft-owned repository includes a verifiable digital signature tied to a known, trusted developer identity. This would make unauthorized code injection far more difficult, though experts point out that it would not prevent attacks that compromise an authorized developer’s machine.

Community and Industry Reaction

The cybersecurity community reacted with a mix of alarm and resignation. The incident fits a pattern of escalating supply chain attacks targeting the software development lifecycle. Just months earlier, the Codecov breach and the SolarWinds affair demonstrated how compromised build systems can have outsized consequences. What sets this incident apart is the use of an AI coding tool as the initial vector—a novel twist that surprised even seasoned threat researchers.

“We expected attacks on AI models themselves, like data poisoning or adversarial examples, but using the AI assistant’s trust relationship to inject code is a whole new game,” noted Bruce Schneier, security technologist and lecturer at Harvard Kennedy School. “Developers have become accustomed to treating these tools as part of their extended mind. The industry needs to catch up with appropriate security boundaries.”

On developer forums and social media, those affected expressed frustration over the abrupt repo takedowns. Some startups reported losing days of development time, while open-source maintainers worried about the collateral damage to their own projects that depended on the disabled Microsoft repos. “I had no idea my npm package was pulling from a Microsoft-owned repo until my entire deploy pipeline just stopped,” posted one developer on a popular open-source discussion board. Microsoft’s developer relations team later apologized and offered expedited support for critical infrastructure projects.

Lessons for the Software Supply Chain

This attack highlights several uncomfortable truths about modern software development. First, the pull-based model of dependency management — where developers automatically fetch code from remote repositories at build time — creates an asymmetric advantage for attackers. Once malicious code is in a popular repository, it can spread virally long before detection. Second, the convenience of AI assistants often overrides security caution.

Security experts recommend a multi-layered defense: enforce branch protection rules with mandatory code review even for automated commits, use automated dependency scanning that validates both integrity and publisher identity, and apply network egress controls to CI/CD pipelines to detect exfiltration. Crucially, organizations must treat AI coding assistants with the same security scrutiny as any other third-party software with write access to source code.

NIST’s Secure Software Development Framework (SSDF) was updated in late 2025 to include guidelines specifically for AI-augmented development, encouraging practices such as sandboxing AI plugins and verifying the provenance of all automated code suggestions. Microsoft has indicated that it will adopt these guidelines more rigorously and is working with other AI tool vendors to establish a shared threat intelligence feed for the emerging ecosystem.

What Comes Next?

The affected repos are expected to remain disabled until at least June 10, while Microsoft completes a thorough code audit and verifies the integrity of all historical commits. The company has promised to re-publish clean versions with new commit hashes and will offer a migration guide for users who pinned old, vulnerable versions. In the meantime, developers can access critical SDKs through a read-only mirror site that Microsoft set up in collaboration with GitHub.

The incident also accelerates regulatory conversations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already requested a briefing from Microsoft about the AI tool compromise, and several members of Congress have called for stricter oversight of software supply chain security. The European Union Agency for Cybersecurity (ENISA) is considering fast-tracking a certification scheme for AI development tools under the Cyber Resilience Act.

For individual developers, the attack serves as a stark reminder to audit the permissions granted to IDE extensions and to monitor outgoing network traffic from their development environments. Microsoft’s own diagnostic tool, available on GitHub, can scan a local repository for the specific IOCs associated with this malware and is being distributed widely.

While the immediate crisis may subside once the repositories go back online, the longer-term erosion of trust in open-source supply chains may prove harder to repair. As AI tools become deeply embedded in how software is built, the guardians of that software must come to terms with the fact that the assistant helping you write code might just be helping someone else steal your keys.