Microsoft's open source tools were hacked to steal passwords of AI developers
120 points
2 hours ago
| 16 comments
| techcrunch.com
| HN
JdeBP
1 hour ago
[-]
These seem related:

* https://news.ycombinator.com/item?id=48418318 (The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds)

* https://news.ycombinator.com/item?id=48450543 (Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents)

* https://news.ycombinator.com/item?id=48416155

* https://news.ycombinator.com/item?id=48416269 (Miasma Worm Targets AI Coding Agents via GitHub Repos)

reply
bob1029
48 minutes ago
[-]
I strongly suspect this is a case of classic personal access tokens being used in an unclean way.

If you are going to be handing tokens to AI agents on weird openclaw contraptions, you should try to use the fine grained variants. My GitHub account spans 3 organizations with wildly differing policies. The fact that classic tokens are even still allowed blows my mind a bit. You should be required to manually opt in each organization at a minimum.

reply
test20201
9 minutes ago
[-]
You are correct but the issue is permission management with finegrained tokens is nighmare. It is not easy to decide what is correct and what is needed for some operation. Furthermore, often software devs think it is important to focus on code rather than permissions - as it is for someone else's responsibility....
reply
_pdp_
1 hour ago
[-]
What follows next is purely speculation and it is based on my own observations and thoughts but based on what I've seen the old RBAC models, while being almost broken before, now it is fully broken, with the fact that now coding assistants and engineers are working on multiple unrelated projects simultaneously - especially working on wild experiments they had no time for previously. The risk of supply chain issue has increased dramatically in the enterprise.

Again, I am not saying it is related but I think it has an impact.

Now in many places it is encouraged by coders and managers to vibe stuff on their own devices. Soon or later it will become a problem, especially for those that have no idea what they are doing.

I am not saying it is related but I feel that it coincides perfectly.

I just cannot believe there is no underlaying thread going through all of these recent supply chain issues, and yes there are some hacking groups that specialise in this, sure, but it is because the bounty is plentiful.

reply
black_knight
15 minutes ago
[-]
Do you mean that role based access control (RBAC) should be replaced by something else? Or that just the specific RBAC models in use are broken?

I personally think the, perhaps confusingly named, capability based security models are the way of The Future.

reply
altairprime
25 minutes ago
[-]
I argued for years that we had too few workers for our total project count and management argued that most projects were idle and so it was fine to have so many per worker.

Welp.

reply
_pdp_
8 minutes ago
[-]
I think web-based IDEs like GitHub Codespaces (but even VSCode with tunnels) is part of the solution because at the very least you can get an isolated dev environment per project. I've been advocating for this for as long as I remember.

Unfortunately, most developers don't like them so it is a though sell.

reply
sourcecodeplz
19 minutes ago
[-]
one could also vibe-code vanilla, no dependencies.
reply
_pdp_
12 minutes ago
[-]
You can vibe code safely for sure.

I am not saying vibe coding is the issue. The issue is that a typical developer might be working on a lot more projects that run concurrently then they used to. And because of the various nature of the project the risk is significantly increased.

Scale this across the workforce and you not just doubled the problem.

reply
protoman3000
1 hour ago
[-]
And we trust these people with the root CA cert in our Secure Boot?
reply
justinclift
35 minutes ago
[-]
More like "forced to accept" rather than "trust".

This latest event just continues Microsoft's track record of being a security problem rather than having their shit together. :(

reply
shakna
18 minutes ago
[-]
You mean the company that failed their 2023 security review? [0]

> Individually, any one of the failings described above might be understandable. Taken together, they point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security.

Microsoft’s products and services are ubiquitous. It is one of the most important technology companies in the world, if not the most important. This position brings with it utmost and global responsibilities. It requires a security-focused corporate culture of accountability, which starts with the CEO, to ensure that financial or other go-to-market factors do not undermine cybersecurity and the protection of Microsoft’s customers.

> Unfortunately, throughout this review, the Board identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management. These decisions resulted in significant costs and harm for Microsoft customers around the world.

> The Board is convinced that Microsoft should address its security culture.

[0] https://www.cisa.gov/resources-tools/resources/CSRB-Review-S...

reply
abc3354
10 minutes ago
[-]
"No way to prevent this" say users of only package manager where this... Oh no sorry I thought this was Javascript Haters weekly meetup
reply
zihotki
58 minutes ago
[-]
And the best recommendation security teams can give - keep your SBOM strict, use min release age policy (sounds more like band-aid). That's a scary world to live in.
reply
nicce
17 minutes ago
[-]
> keep your SBOM strict

Based on the news, seems like it is better to not include Microsoft at all in there.

reply
wolfi1
45 minutes ago
[-]
a friend of mine has a very different solution: he codes everything by hand. he says that the time you need to research to include a new package you can actually use to code the piece you need. and he for sure doesn't have the problems of transitive dependencies
reply
nicce
15 minutes ago
[-]
Depending of the scenario, it can be very fine. E.g. if you just need one or two function call from the dependency. However, for some complex binary protocols it might be better to stick with libraries.
reply
dgellow
36 minutes ago
[-]
I assume that means he genAIs all his deps? Rather than writing by hand
reply
bilekas
56 minutes ago
[-]
The phrasing of the title is loaded and the content phrases it as some kind of fault of open source.

Then, which I find the most amusing, proceeds to blame MicroSlop for the attempted suuply chain attack,

> Microsoft did not immediately provide the specific number of customers affected, when asked by TechCrunch.

Yeah, because that's how open source works. Tech crunch doing hard work no not explain that.

> This is Microsoft’s second known breach over the past few weeks that has allowed hackers to compromise its open source projects, per Ars Technica.

I, like many others love to knock on Microslop when I can, but in this case they did the right thing. The article phrases it like they did everything wrong, they're all at fault and shame on them for limiting the breach.

This is not the first time I've seen an article from Zack Whittaker that just rubbed me the wrong way.

> steal passwords of AI developers

This phrasing has it's own connotations. AI developers versus developers who use AI?

> This is the latest example in recent months of hackers breaching widely popular open source projects with the aim of planting malware on a large number of users who have the code installed on their computers. These hacks are known as “supply chain” attacks as they target code that is often used in a large number of software products, or by a specific kind of user, which may be advantageous to hack as they sometimes have access to cloud systems and large amounts of customers’ data.

Describes literally nothing of what a supply chain attack is, just the result of one and the reasons for their attack surface.

Very very bad reporting in my opinion. Bad breach, and I hate to admit M$ did the safe and right thing, but this 'reporting' leaves a lot to be desired.

reply
raffael_de
47 minutes ago
[-]
What's your post mortem, then? As in - what happened and how should it be read?
reply
bilekas
37 minutes ago
[-]
Microsoft's open source projects the target of a supply chain attack and they decided to restrict access to understand and limit exposure ? Something a little more 'true' and less targetted?
reply
philipwhiuk
16 minutes ago
[-]
Azure are able to be targets of supply chain attack because of the supply chain ecosystem that they still own. It's not really a supply chain when it's still yours.
reply
dgellow
41 minutes ago
[-]
TechCrunch is very sloppy and unreliable. I’ve seen them reporting on things I worked on where they just invented facts for SEO purpose and there is no way to get them to correct
reply
philipwhiuk
17 minutes ago
[-]
> > This is Microsoft’s second known breach over the past few weeks that has allowed hackers to compromise its open source projects, per Ars Technica.

> I, like many others love to knock on Microslop when I can, but in this case they did the right thing.

I've no idea what your problem with this sentence is. They have an organisational security problem, aided/demonstrated by lack of effort to effectively lockdown GitHub Actions and allowing MRs to circumvent CI/CD.

That this is a Microsoft problem that was present pre-AI is not up for debate. See https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...

In the age of AI, it's now endemic and being weaponised.

reply
minraws
1 hour ago
[-]
Remember folks Microsoft has Mythos access
reply
raincole
38 minutes ago
[-]
> steal passwords of AI developers

What does this even mean?

The malware specifically steals passwords from developers who use AI? From those who develop AI tool? Or it steals API tokens, which serve a similar function as passwords do for humans?

Is this what journalism looks like today? Just slap the two holy letters on the title and you get views?

(Yes, I read the article. No, I still don't think the title makes sense. You can skip this techchurch slop and read the real information here: https://opensourcemalware.com/blog/miasma-reaches-azure)

reply
Ukv
18 minutes ago
[-]
https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-... mentions that it plants `.claude/settings.json`, `.gemini/settings.json`, `.cursor/rules/setup.mdc`, and `.vscode/tasks.json` to execute its payload as a setup task.

VSCode will be used by plenty of non-AI-using developers, and the credential harvester is not specific to AI API tokens, but that 3/4 of the targets are AI coding tools is I assume where the claim comes from.

reply
sourcecodeplz
14 minutes ago
[-]
Do I remember correctly when techcrunch was charging $10k per month for a square banner on its website, 2005? And that was considered the top, for a tech blog. Even then they posted slop.
reply
axus
1 hour ago
[-]
Their source has the list of the 73 disabled repositories: https://opensourcemalware.com/blog/miasma-reaches-azure
reply
antiloper
1 hour ago
[-]
AI;DR:

Azure (49)

azure-functions-agents-runtime azure-functions-connector-extension azure-functions-core-tools azure-functions-docker azure-functions-dotnet-extensions azure-functions-dotnet-worker azure-functions-durable-extension azure-functions-durable-js azure-functions-durable-powershell azure-functions-durable-python azure-functions-extension-bundles azure-functions-golang-worker azure-functions-host azure-functions-java-library azure-functions-java-worker azure-functions-kafka-extension azure-functions-language-worker-protobuf azure-functions-mcp-extension azure-functions-nodejs-e2e-tests azure-functions-nodejs-library azure-functions-nodejs-opentelemetry azure-functions-nodejs-worker azure-functions-openai-extension azure-functions-powershell-library azure-functions-powershell-opentelemetry azure-functions-powershell-worker azure-functions-python-extensions azure-functions-python-library azure-functions-python-worker azure-functions-rabbitmq-extension azure-functions-skills azure-functions-sql-extension azure-functions-templates azure-functions-tooling-feed azure-functions-vs-build-sdk azure-webjobs-sdk azure-webjobs-sdk-extensions azure-websites-security checkaccess-v2-go-sdk Connectors-NET-LSP Connectors-NET-Samples Connectors-NET-SDK Connectors-NodeJS-SDK connectors-python-sdk durabletask functions-action functions-container-action homebrew-functions sonic-gnmi.msft

microsoft (10)

DurableFunctionsMonitor durabletask-dotnet durabletask-go durabletask-java durabletask-js durabletask-mssql durabletask-netherite durabletask-protobuf Microsoft-Performance-Tools-Apple secure-azureai-agent

Azure-Samples (13)

azure-ai-content-understanding-python azure-container-apps-multi-agent-workflow azure-container-apps-sandboxes azure-functions-java-flex-consumption-azd azure-functions-nodejs-opentelemetry-samples azure-search-openai-demo-purviewdatasecurity functions-connectors-python functions-connectors-typescript llm-fine-tuning openai-chat-app-entra-auth-builtin openai-chat-app-entra-auth-local rag-postgres-openai-python tutor

MicrosoftDocs (1)

windows-driver-docs

reply
jbverschoor
1 hour ago
[-]
Note that also the homebrew-tap was affected: homebrew-functions
reply
yossufyahia
32 minutes ago
[-]
It actually feels like nothing is safe now every day you hear about hacking is it from the ai making development weak or ai is getting strong in hacking
reply
Zolomon
31 minutes ago
[-]
It was never safe to begin with, that is why the security community has been screaming for resources since the 80s.
reply
dude250711
1 hour ago
[-]
The Age of Agentic Development.
reply
axegon_
57 minutes ago
[-]
I hate to be the "I told you" guy but... I told you and have been for years. And every time I do, a flock of sloppers come to say "but have you tried the claude sloppus, it's so good man, I haven't written any code in X months". Well.. Enjoy.
reply
paulluuk
13 minutes ago
[-]
This is a supply chain attack that _targets_ AI users. What does this have to do with AI slop?
reply
ares623
1 hour ago
[-]
guys. what the fuck. are we even doing.
reply
nDRDY
52 minutes ago
[-]
We are ever-faster approaching the Anti Singularity, the moment when everything "tech" implodes and progress screeches to a halt.
reply
narrator
47 minutes ago
[-]
What if this is "The Great Filter?" [Ominous music plays in the background]
reply
christophilus
40 minutes ago
[-]
Downloading OpenBSD and going off-grid. How about you?
reply
larodi
1 hour ago
[-]
getting deeper and deeper. the question is what goes one when breaches reach opensource-based stuff running nuclear reactors. i'd be concerned.
reply
TZubiri
1 hour ago
[-]
another day, another supply chain vulnerability
reply