Microsoft open source packages tampered with to steal AI-developer passwords

Software supply-chain security has become one of the most pressing fronts in enterprise security over the past three years; attackers no longer target organisations directly but go after the dependencies those organisations use. A new finding reported by TechCrunch shows that open source packages appearing to be from Microsoft were tampered with to steal passwords from AI developers.

A report from the security firm Socket identified packages published on the NPM registry under the name microsoft-typescript-toolkit, carrying the Microsoft brand without authorisation. The names look very close to original Microsoft community tools; this technique, known as typosquatting, has long been at the top of the attack repertoire.

After installation, the malicious code scanned the developer's home directory for Hugging Face, OpenAI, Anthropic and Microsoft Azure CLI configuration files and exfiltrated API keys and session tokens to a remote server. Socket researcher Mick Boyd told TechCrunch that the target was very clearly not a single domain but the AI-developer wallet.

The packages received about 8,000 downloads in the first seven days after publication. All of them were later removed by NPM and GitHub. The Microsoft Security Response Center confirmed that the packages did not belong to the company and that it only publishes packages under verified enterprise publisher accounts.

A distinctive feature of the case was that the password-stealing component was not hard-wired as a simple HTTP POST. It only activated if the machine contained known LLM configuration directories. This conditional-payload approach is described as one that increases the likelihood attackers will slip past detection. If the files are not present, the code does nothing.

Security tools such as GitGuardian and Snyk have reported in recent months that Hugging Face tokens and LLM API keys have become some of the highest-value assets in the underground market. Once stolen, attackers can run model calls in the organisation's name, run up its bill and leak confidential data. In some cases organisations only discover the misuse after hours of unexpected API charges.

Microsoft recommended that customers rotate Azure and GitHub credentials and scan NPM and PyPI packages with the microsoft prefix against enterprise security policies. The company said it plans to highlight the Verified Publisher badge for corporate customers; this issue is on the agenda for the September NPM governance meeting.

The incident also drew attention to the Python ecosystem on PyPI. An analysis carried by TechCrunch showed that 47 AI-related PyPI packages in the past four months have targeted credentials in a similar way. PyPI maintainers are discussing whether to add an extra review layer for naming patterns linked to AI.

Short-term recommendations for developers include checking package provenance data before installing new packages, enabling NPM's audit signatures feature and reading LLM API keys from a hardware key store rather than from plain-text local files. Automating key rotation is also flagged as a priority improvement.

The broader picture is now clear: AI developers are the new high-priority target of supply-chain attacks. As TechCrunch points out, the malicious payload is no longer the bank card number but the LLM access key. This is reshaping security team priorities through 2026. This is not investment advice.