Microsoft Open Source Packages Compromised with Credential-Stealing Code for Second Time in Weeks
Seventy-three cryptographically verified open source packages from Microsoft were found to contain advanced credential-stealing malware late last week, triggered when developers opened them in AI coding agents. This marks the second such incident in a matter of weeks involving Microsoft packages on GitHub, which Microsoft owns. The breach is significant because the packages were cryptographically signed, meaning developers had reason to trust them, and any developer who interacted with them via AI agents may be compromised.
Seventy-three open source packages published by Microsoft were flagged as malicious after automated systems on GitHub detected credential-stealing code embedded within them. The malicious code was designed to activate specifically when developers opened the packages inside AI coding agents, raising concerns about supply chain security in AI-assisted development workflows. GitHub, which is owned by Microsoft, initially removed the packages citing only a 'violation of terms of service' rather than explicitly warning users of the malicious content. Microsoft did not publicly acknowledge the possibility of malicious content until Monday, days after the packages were pulled, stating only that it was investigating 'potential malicious content.' Security researchers noted this is the second time in recent weeks that Microsoft packages have been laced with credential stealers, suggesting a pattern or ongoing vulnerability. Experts are advising any developer who used AI agents to interact with the affected packages to assume their systems have been compromised and act accordingly.
What's missing
It is unclear who is responsible for injecting the malicious code into the packages — whether this was an external attacker, an insider threat, or a supply chain compromise — and no attribution has been publicly confirmed. Additionally, the specific credentials targeted and the scale of any actual developer impact have not been disclosed.
How coverage differed
Ars Technica's framing is notably critical of Microsoft and GitHub, emphasizing the delayed and vague public disclosure and contrasting it with what researchers recommended. The coverage highlights what it characterizes as misleading or insufficient communication from Microsoft rather than focusing neutrally on the technical incident itself.
What different sources said
- Ars TechnicaCenter
For the 2nd time in weeks, Microsoft packages laced with credential stealer
Related
Advanced Headlight Technology Legal in Europe and Canada Remains Banned in the United States
Adaptive driving beam (ADB) headlights that reduce glare by automatically dimming when detecting oncoming vehicles are widely used in Europe, Asia, and Canada but remain illegal in the United States despite being technically available in American vehicles. The technology uses LED pixels to intelligently adjust light patterns, addressing widespread complaints about increasingly bright headlights from modern SUVs and pickup trucks. The ban stems from outdated U.S. regulations requiring separate low and high beams, which the National Highway Traffic Safety Administration declined to update to international standards even after Congress authorized changes in 2021.
Linux Kernel Logic-Inversion Bug Enables Local Privilege Escalation Across Major Distributions
A single-character logic-inversion bug (CVE-2026-23111) in the Linux kernel was discovered in early 2025, allowing local privilege escalation and potential full device takeover with a severity score of 7.8/10. The vulnerability affects major Linux distributions including Debian, Ubuntu, and Red Hat Enterprise Linux, though exploitation requires specific conditions including nf_tables enabled and unprivileged user namespaces. The discovery highlights a broader surge in Linux kernel vulnerabilities and strains on maintainers dealing with AI-generated bug reports.
Nintendo Confirms Legend of Zelda: Ocarina of Time Remake Coming in 2026
Nintendo of America released a teaser trailer confirming a remake of The Legend of Zelda: Ocarina of Time is in development with a 2026 release window. The original N64 game, released nearly 30 years ago, is considered one of the greatest video games ever made and has never received a full HD remake for modern consoles. The announcement addresses long-standing fan demand for a next-generation version of the classic title.