Microsoft disables 73 GitHub repositories after malware attack on AI developer tools

Microsoft disabled 73 GitHub repositories in early June after hackers injected malware that steals passwords and credentials when opened in AI development tools ^{[1, 2, 3]}. Many affected repositories related to Microsoft's Azure cloud and AI coding apps like Claude Code, Gemini CLI, and VS Code ^{[1, 2, 3]}.

The attack involved a supply chain malware called the Miasma worm targeting the Microsoft Durabletask package, which was first compromised in May 2026 ^{[1, 3]}. This package had over 400,000 downloads that month, exposing a large developer base to infection ^[3].

The malware infected packages downloaded by developers, allowing hackers to steal authentication credentials and impact their build environments ^{[1, 3]}. Upon discovering the infection, GitHub's automated system disabled the repositories within one minute due to terms of service violations and temporarily removed them for investigation ^{[1, 2, 3]}.

A Microsoft spokesperson said, "We have temporarily removed some repositories as we investigate potential malicious content" and confirmed notifying a small number of customers who may have pulled the affected content ^[2]. The company restored all the repositories after the review but has not disclosed how many developers were impacted ^[2].

This incident represents a re-compromise of the Durabletask project, raising concerns about whether earlier remediation was complete ^{[1, 2, 3]}. In addition, Microsoft fixed a separate security bug in the VS Code embedded editor related to GitHub token theft ^[3].

By June 8, Microsoft had confirmed the temporary repository removal and ongoing investigation ^{[1, 2]}. The rapid disabling of infected repositories by GitHub’s automated system occurred by June 12 ^[3]. Microsoft continues to assess the impact on customers and strengthen its supply chain defenses.