Microsoft's open source tools were hacked to steal passwords of AI developers

Original Article ↗ Hacker News Discussion ↗

Scope of the Incident

  • 73 Microsoft-related GitHub repos were disabled after being infected (mostly Azure Functions and Durable Task tools; also samples, docs, and a Homebrew tap).
  • Attack is tied to the “Miasma” / “Shai-Hulud” worm family targeting software supply chains and developer environments.
  • Malware spreads via config files for AI coding tools and VS Code: .claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, .vscode/tasks.json.
  • Several posts note GitHub commits authored as github-actions, suggesting compromised CI tokens and automation.

Worm Behavior and Impact

  • One researcher claims the worm propagates across dev machines, CI/CD runners, and servers, infecting any reachable repo; another counters “it only spreads if you run the code,” and is corrected with “it spreads if you open a folder.”
  • Claimed kill switch: setting LANG=ru_RU.KOI8-R.
  • A mitigation tool and technical write-ups are shared; they’re being updated as more package ecosystems (npm, Composer, Go, Pip, Ruby) become affected.
  • Concern that this is a true cross-platform, ecosystem-wide worm with no practical “global shutdown” option.

Microsoft, GitHub, and Security Culture

  • Several comments argue Microsoft’s security culture is broken, citing a recent critical US government review and past breaches.
  • Others say for this specific incident Microsoft did the right immediate thing (disabling repos), but criticize the vague, “watery” public response and lack of detailed post-mortem.
  • Strong criticism that GitHub (also Microsoft) failed on multiple fronts: detecting compromised accounts/tokens, allowing CI bypass, weak malware policing on the platform.
  • Debate over Secure Boot trust: some object to being forced to trust Microsoft/OEM keys; others note you can, in principle, replace them.

AI, “Agentic Development,” and Supply Chain Risk

  • Many see AI coding agents as a new high-value infection vector: they touch many repos, run scripts, and can be tricked into approving opaque changes.
  • Some argue the root problem predates AI (dependency-install malware); AI simply amplifies speed and scale.
  • Concerns that developers now juggle more projects and “vibe-code” with little review, breaking traditional RBAC and governance models.

Ecosystem, Tooling, and Mitigations

  • Strong sentiment that we have “too much software”: microlibraries, deep transitive dependencies, and auto-running install scripts (npm, pip) create massive attack surfaces.
  • Suggestions:
    • Strict SBOMs and “minimum release age” policies.
    • Heavy sandboxing for npm install / pip install (Docker, rootless containers, OS sandboxes), or even per-project users/VMs.
    • Web IDEs / codespaces as isolated envs vs. pushback that they add their own attack surface and UX pain.
    • Per-agent/per-repo fine-grained tokens instead of broad personal access tokens (with complaints that permission systems are too complex to use correctly).
    • Manually writing small utilities instead of adding dependencies, where feasible.

Broader Mood

  • Widespread pessimism and burnout: talk of an “anti-singularity,” “Great Filter,” and retreating to OpenBSD/airgapped setups.
  • Many view current security models (continuous updates + huge dependency trees) as collapsing under their own complexity.