Microsoft has temporarily taken dozens of open-source projects on GitHub offline due to an investigation into potentially malicious code. The measure affected projects related to Azure Functions, Durable Task, and AI-related development tools, among others. Developers who rely on associated GitHub Actions were also impacted.
This was reported by OpenSourceMalware. On June 5, more than seventy Microsoft repositories were taken offline within minutes. The projects were spread across multiple GitHub organizations, including Azure, Azure-Samples, and MicrosoftDocs. Visitors received a message stating that access had been disabled by GitHub due to a violation of the terms of service.
Malware Investigation
Microsoft confirmed to TechCrunch that the repositories were intentionally taken offline. According to spokesperson Ben Hope, this was done as part of an investigation into potentially malicious content. Some of the repositories have since been made available again following a review, while other projects remain offline as the investigation continues.
Microsoft also announced that a limited number of customers have been notified because they may have downloaded code from the affected repositories. The company has not disclosed exactly how many users were affected.
A large portion of the affected repositories are related to Azure Functions. These included the runtime, SDKs, programming language-specific workers, development tools, and extensions. Repositories for GitHub Actions used to deploy Azure Functions applications were also disabled.
In addition, repositories from the Durable Task family temporarily disappeared from GitHub. These open-source projects form the basis for workflow and orchestration functions within Azure.
Problems for developers
The measure had immediate consequences for developers using GitHub Actions from the affected repositories. In particular, users of the Azure/functions-action reported that deployment workflows could no longer be executed because the required repository was unavailable.
Microsoft advised users to temporarily use alternative deployment methods, including Azure CLI, Azure DevOps Pipelines, Azure Pipelines, VS Code, and Zip Deploy.
Security firms Cloudsmith and OpenSourceMalware have reported finding malware in some affected projects. According to their analysis, this code was designed to collect passwords and other sensitive login credentials from developers.
The malware is said to have specifically targeted users of AI-powered development environments, including Claude Code, Gemini CLI, and Visual Studio Code. It is unknown how many developers downloaded the affected software.
The incident occurred a few weeks after a security issue involving the open-source project Durable Task. In May, multiple malicious versions of the associated Python package appeared via PyPI. Researchers concluded at the time that GitHub Actions credentials had been misused in that incident.
Microsoft has not confirmed whether there is a connection between that earlier incident and the current investigation. The company has not yet released any technical details regarding the cause of the compromise or the nature of the malware found.
For now, some of the repositories remain offline while the investigation continues. Microsoft has indicated that it will notify additional customers directly if warranted.