Microsoft Package Repository Hit Again: 73 Malicious Packages Deploy Credential Stealers Targeting AI Agents

Microsoft's package repository has been compromised for the second time in recent weeks, with 73 malicious packages containing self-replicating credential stealers that activate when opened by AI agents. The attack represents a significant supply chain vulnerability, as the packages are designed to automatically propagate and steal credentials from systems that interact with them.

Why it matters: This recurring vulnerability in major package repositories poses a direct threat to AI development workflows and highlights critical gaps in software supply chain security that could affect thousands of developers and enterprises relying on trusted package sources.