[bilekas]

The phrasing of the title is loaded and the content phrases it as some kind of fault of open source.

Then, which I find the most amusing, proceeds to blame MicroSlop for the attempted suuply chain attack,

> Microsoft did not immediately provide the specific number of customers affected, when asked by TechCrunch.

Yeah, because that's how open source works. Tech crunch doing hard work no not explain that.

> This is Microsoft’s second known breach over the past few weeks that has allowed hackers to compromise its open source projects, per Ars Technica.

I, like many others love to knock on Microslop when I can, but in this case they did the right thing. The article phrases it like they did everything wrong, they're all at fault and shame on them for limiting the breach.

This is not the first time I've seen an article from Zack Whittaker that just rubbed me the wrong way.

> steal passwords of AI developers

This phrasing has it's own connotations. AI developers versus developers who use AI?

> This is the latest example in recent months of hackers breaching widely popular open source projects with the aim of planting malware on a large number of users who have the code installed on their computers. These hacks are known as “supply chain” attacks as they target code that is often used in a large number of software products, or by a specific kind of user, which may be advantageous to hack as they sometimes have access to cloud systems and large amounts of customers’ data.

Describes literally nothing of what a supply chain attack is, just the result of one and the reasons for their attack surface.

Very very bad reporting in my opinion. Bad breach, and I hate to admit M$ did the safe and right thing, but this 'reporting' leaves a lot to be desired.

[mattfields]

That's the thing: they do bear responsibility in allowing the situation to get to this point and are very pointedly not connecting the dots with their response.

Microsoft which owns GitHub, has been washing their hands if any responsibility in helping to resolve the ongoing supply chain catastrophe which is hosted and spread nearly entirely via Github repositories: not responding to security researchers flagging malware hosted on GitHub; doing nothing to address the proliferation of open source malware across their platform, giving no recourse for action, not applying their tremendous resources to the problem, fiddling as the open source community burns and leaving the devs to fend for themselves. Let's not mention the recent very hostile and trust-erodibg behavior towards bug bounty security researchers.

The *&$@ finally spread all the way up to the top of the hill in a compromise of Microsoft's own repos, which I think highlights the scale of the problem.

And in response, they offer a watery corporate platitude, "a few customers were affected in a recent incident, and we're looking into it."

[cookiengineer]

Microsoft's introduction of 2 hour latencies for vscode extension installations to mitigate the ongoing worm spread is absolutely bonkers.

They did not read the source code of the worm implant and have absolutely no clue how the worm works, if that is their response.

The only way to meaningfully stop the worm is by requiring manual confirmations for git commit/push actions and for the auto-executed hooks in all IDEs. Also, these scripts should be sandboxed to only be allowed to run and interact with files inside the same opened project folder.

Well, that, or setting the host system language to Russian. Which I am kind of expecting Microsoft to do next...

[philipwhiuk]

> > This is Microsoft’s second known breach over the past few weeks that has allowed hackers to compromise its open source projects, per Ars Technica.

> I, like many others love to knock on Microslop when I can, but in this case they did the right thing.

I've no idea what your problem with this sentence is. They have an organisational security problem, aided/demonstrated by lack of effort to effectively lockdown GitHub Actions and allowing MRs to circumvent CI/CD.

That this is a Microsoft problem that was present pre-AI is not up for debate. See https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...

In the age of AI, it's now endemic and being weaponised.

[bilekas]

> That this is a Microsoft problem that was present pre-AI is not up for debate. See https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...

No argument from me, but what would you have them do in the immediate timeframe ?

[philipwhiuk]

Some form of public communication from Microsoft Security indicating an actual threat to their ecosystem and published pipeline of work to reduce the ability of attacks to spread via GitHub actions.

They can publish self-congratulatory stuff like this: https://www.microsoft.com/en-us/security/blog/2026/06/05/sec... but they can't publish a post-mortem on their own platform?

I'm told that when Affirmed got compromised Microsoft Security descended on the org and rewrote their entire backlog. Where is the plan from GitHub that they are now taking security seriously given GitHub Actions is now a primary threat vector even for projects written by their own company.

[dgellow]

TechCrunch is very sloppy and unreliable. I’ve seen them reporting on things I worked on where they just invented facts for SEO purpose and there is no way to get them to correct

[sourcegrift]

Which is worse tc or verge? Verge does similar making up of facts.

[subscribed]

Similar. They both don't belong here.

[raffael_de]

What's your post mortem, then? As in - what happened and how should it be read?

[bilekas]

Microsoft's open source projects the target of a supply chain attack and they decided to restrict access to understand and limit exposure ? Something a little more 'true' and less targetted?

[philipwhiuk]

Azure are able to be targets of supply chain attack because of the supply chain ecosystem that they still own. It's not really a supply chain when it's still yours.

[bilekas]

> It's not really a supply chain when it's still yours.

I don't personally buy that, they offer a package manager in the form of nuget for example, if their products there are compromised, they're well withing normal reach to block THEIR packages, but why would they need to block the rest ?

Maybe I'm missing something dumb

[philipwhiuk]

* GitHub [which they own] failed to detect the account was compromised

* GitHub [which they own] allowed the contribution to ignore CI

* GitHub [which they own] failed to detect suspicious content on check-in

* GitHub [which they own] isn't sufficiently integrated into Microsoft security that the compromised token wasn't rolled.