Microsoft’s open source tools were hacked to steal passwords of AI developers 微软开源工具遭黑客入侵以窃取AI开发者密码

Microsoft just had a really bad week, and honestly, the company deserves every ounce of scrutiny coming its way.

Dozens of open source repositories on GitHub—some directly tied to Azure, VS Code, and the very AI coding tools developers are being told to embrace—were quietly poisoned with password-stealing malware. Not some obscure weekend project. Not a forgotten utility nobody touches. These were first-party Microsoft repositories, the kind of thing a developer trusts implicitly because it has the Microsoft name on it. The kind of thing you clone without thinking twice because, well, it's Microsoft.

The hackers got in, injected credential-stealing code, and for however long this was active, anyone who pulled those repos and ran them inside an AI coding environment—Claude Code, Gemini's CLI, VS Code extensions—may have handed over their passwords and other sensitive data without knowing it. Let that sink in. The tools developers are being actively encouraged to use to write faster, to integrate AI into their workflow, became the exact vector attackers needed to exfiltrate credentials. The irony is almost poetic if you're not one of the potential victims.

What really grinds my gears about this incident isn't just the breach itself. Breaches happen. Supply chain attacks are the hottest category in cybersecurity right now, and GitHub has been a known target for years. What stings is Microsoft's response—or more precisely, the vague, corporate-PR shape of it. "A small number of customers" were notified. Which customers? How small? What does "may have pulled down content" mean—are they sure or aren't they? Microsoft won't say. They "did not immediately provide the specific number of customers affected," which is corporate speak for "we either don't know or don't want you to know yet." Both possibilities are bad.

This is a company that runs one of the largest cloud platforms on Earth. A company that just spent the last two years shoving AI into every product it makes, from Windows to Office to GitHub Copilot. A company that positions itself as a leader in secure, enterprise-grade software development. And it can't keep its own open source repositories clean?

Let's zoom out for a second. The AI coding revolution is built on a fragile foundation of trust. Developers are being told to use AI assistants that read, parse, and execute code from repositories. The entire value proposition depends on a chain of trust: I trust the repo, I trust the platform hosting it, I trust the AI tool that recommends it, and I trust my own judgment when I hit "run." This breach attacks every single link in that chain. If you can't trust that a first-party Microsoft repo on GitHub is clean, what can you trust? If your AI coding tool happily ingests poisoned code and serves it up as a helpful suggestion, what good is the AI?

The security firms Cloudsmith and OpenSourceMalware flagged this before Microsoft did anything public, which tells you something uncomfortable about who's actually watching the store. The open source security ecosystem has been screaming about supply chain risks for years. Sigsstore, dependency scanning, reproducible builds—there are entire companies and initiatives dedicated to solving exactly this problem. And yet here we are, watching Microsoft scramble to pull repos offline after the fact. Reactive, not proactive. Cleanup, not prevention.

And let's talk about the timing. Microsoft is in an arms race with Google, Anthropic, and OpenAI to dominate AI-assisted development. GitHub Copilot is a flagship product. VS Code is the most popular code editor in the world. Azure is the bedrock of Microsoft's future revenue. Every day these repositories stay offline is a day developers question whether the ecosystem they've been told to build on is actually secure. Every vague statement from a spokesperson erodes confidence just a little more. You can't be the trusted platform for AI-powered development and also have your repos serving up credential stealers. You don't get to be both.

I keep coming back to the same question: what was the actual attack vector? How did the hackers get write access to Microsoft's own repositories? Was it a compromised employee account? A misconfigured permission? A vulnerability in GitHub itself? Microsoft hasn't said, and the absence of that information is deafening. If this was a simple credential theft—which, given the irony, would be almost too perfect—then Microsoft has a serious internal security hygiene problem. If it was something more sophisticated, that's arguably worse because it suggests a systemic vulnerability that could affect any organization on the platform.

The broader lesson here, if we're willing to learn it, is that the rush toward AI-everything has outpaced our security fundamentals. We're building AI coding tools that consume open source code at unprecedented scale, but we haven't solved the much older problem of making sure that code is trustworthy in the first place. It's like building a skyscraper on a foundation you haven't inspected. Sure, it looks impressive, but one crack and the whole thing comes down.

Developers using these AI tools should be asking hard questions right now. What repos is my AI assistant pulling from? What's the vetting process? Can I verify the integrity of the code before it runs? And Microsoft, for its part, owes the community a lot more than a spokesperson named Ben Hope offering carefully lawyered statements. It owes transparency. It owes specifics. It owes an explanation of how this happened and what systemic changes it's making to ensure it doesn't happen again.

Because right now, the message from this incident is clear: even the biggest players in tech can't secure the basics, and the new wave of AI development tools we're all being asked to adopt are only as secure as the messy, porous, trust-dependent ecosystem they're built on. That should make every developer nervous. It certainly makes me nervous.

微软把几十个自己的GitHub仓库直接拉下了水。动作挺快，调查原因很简单：有黑客溜进去，在代码里塞了偷密码的恶意软件。而这些被污染的项目，偏偏都是当下最时髦的玩意儿——跟微软自家Azure云服务绑定的开发工具，还有给Claude、Gemini命令行界面、VS Code这些AI编程应用使用的库。讽刺吗？微软大谈AI赋能开发者，结果黑客用偷来的密码，给微软的开发者生态来了一次“赋能”。

安全公司Cloudsmith和开源恶意软件分析站OpenSourceMalware最先拉响了警报。他们发现，一旦开发者在AI编码环境里打开这些被污染的工具，恶意软件就会像潜伏的特工一样，悄悄窃取密码和其他敏感凭证。这攻击路径选得太刁钻了。开发者本是来提高效率、拥抱AI的，没成想成了敞开大门迎接数据窃贼。微软自己都承认，目前还不知道到底有多少人下载了这些“带毒”的工具。这句话细品很可怕，意味着危害范围是个未知的黑洞，可能很大，也可能更广。

微软的发言人本·霍普对TechCrunch的回应，堪称教科书式的危机公关“轻描淡写”模板。他说“暂时移除了一些仓库”，就像在说“我们临时收起几个有点问题的玩具”。然后说“部分仓库经审查后已恢复，其他可能继续离线”，给人一种“小事一桩，处理中，勿扰”的错觉。最妙的是“通知了一小部分可能受影响的客户”。一小部分？在网络安全事件里，这种“小部分”的定义弹性极大，而且往往是在无法评估全貌时最安全的说辞。没有具体数字，没有详细影响评估，只有持续调查的承诺和标准的支持渠道通知——这套说辞的潜台词是：除非我下次确认需要你动手，否则你就先自求多福，等着吧。

这件事撕开了一道很深的裂缝，关于开源生态的“盲目信任”。开发者们，尤其是热衷用AI工具加速编码的那批人，通常不会去逐行审计从微软官方GitHub库拉下来的代码。这基于一种根深蒂固的假设：大厂的官方仓库等于绝对安全。黑客正是利用了这种信任链上的薄弱环节。这不再是个别开发者的疏忽，而是对整个“信任基础设施”的攻击。当你依赖VS Code插件或某个AI辅助CLI来提升工作效率时，你几乎不可能同时成为安全审计员。这种分工带来的效率红利，现在被证明也伴随着系统性风险。

微软的声明中用词很讲究，“潜在恶意内容”、“部分仓库”、“持续调查”。在危机时刻，这种谨慎本无可厚非，但结合其作为全球最大代码托管平台和一家安全巨头的身份，这种谨慎显得有些苍白无力。公众需要的不只是一句“我们在查”，而是清晰的事实链：攻击是何时、如何突破的？是内部人员疏忽，还是外部漏洞？那些“已恢复”的库，到底清除了多少恶意代码？如何保证其他库没有类似问题？缺乏这些细节，恢复库的操作本身就像在说：“我们擦干净了一部分，你可以继续用了，但别问我们擦没擦干净。”

更深层的讽刺在于，这次事件是“AI编码工具”热潮中的一个典型副作用。所有人都在追求用AI更快地生成代码、集成服务，但对安全审核的投入，恐怕远没有对功能迭代的投入增长得快。黑客也很应景地将攻击瞄准了这些新兴的、可能安全防护更松散的工具链。这几乎是必然的：最热的领域，就是最好的攻击面。微软在大力推广Copilot、集成各种AI助手的同时，其自身生态的安全性却出现了如此基础的供应链问题，这像一记耳打在了“AI优先”战略的脸上。

总而言之，微软的这次响应，就像给一个可能还在流血的伤口贴上了一块创可贴，然后说：“我们正密切关注伤口愈合情况。”它处理了表象，却没有公开反思这个伤口是如何产生的。对于开发者而言，这记警钟应该响彻云霄：没有任何一方的代码是天然“神圣不可侵犯”的。在AI加速一切的时代，我们可能恰恰需要减速，在信任任何外部代码之前，先问一句：这东西，我真的看过了吗？虽然这很累，但显然，有人已经利用了我们的这份“不累”。