Why did Microsoft disable 70+ GitHub repos?

Microsoft disables GitHub repos after injected malware

Microsoft shut down more than 70 repositories on GitHub, including Azure-related projects such as azure-functions-host, after hackers reportedly added credential-stealing malware to the code. The affected repositories were taken offline as part of an incident response to stop further misuse and prevent automated systems—especially AI coding agents and developer tooling—from pulling compromised packages or code.

The key issue is a software supply-chain risk: attackers were able to compromise code assets hosted in public repositories, then rely on downstream developers to fetch or integrate that code. In this case, the credential-stealing behavior is designed to harvest access information from anyone who installs, runs, or otherwise interacts with the compromised software.

Microsoft’s action matters because GitHub repos are commonly referenced in build pipelines, dependency management, and automation workflows. When the attacker’s goal is credential theft, even “small” library or tooling repos can have outsized impact—especially if they can be incorporated into production systems or developer environments.

What changed immediately

• The repositories were disabled/removed from public access.
• GitHub availability for those codebases was effectively paused to limit exposure.
• Microsoft’s investigation focused on how the compromise occurred and how far it spread.

For teams that rely on GitHub-hosted dependencies or mirror repos into internal systems, this kind of takedown is a reminder to validate provenance and use scanning that can detect malicious behavior, not just broken builds.

Overall, the incident underscores that the AI-assisted development ecosystem raises the stakes for supply-chain security: automation can scale both good updates and bad compromises if verification is weak.