Microsoft open-source tools hacked to steal AI developer passwords

What happened

On June 8, 2026 it emerged that attackers had compromised open-source tools from Microsoft commonly used by AI developers and injected malware that steals credentials — including Anthropic, OpenAI and HuggingFace API keys.

Context and impact

AI dev is now the richest high-value target: a single Anthropic API key = direct exfiltration of tokens worth thousands of USD per month. The attack joins the Meta Instagram chatbot hack from June 6 and the Bunq banking AI compromise. Supply chain is a new front for AI security.

Details

• Target: AI/ML engineers, their API keys and ssh config
• Vector: poisoned packages and developer tools
• Action: Microsoft coordinated a takedown with GitHub