Skip to main content
Application Security Standards
Microsoft Removed 73 GitHub Repos After Credential TheftIncident
5 min readFor Security Engineers

Microsoft Removed 73 GitHub Repos After Credential Theft

What Happened

Microsoft removed 73 GitHub repositories after malware compromised developer credentials and exposed a PyPI publishing token. The attack targeted the durabletask PyPI token, allowing an attacker to potentially publish malicious packages to the Python Package Index. Microsoft notified a small number of customers who may have pulled content from the affected repositories but has not disclosed the full scope of the compromise or how many developers were affected.

This incident highlights a publishing pipeline compromise—an attacker gained the ability to push code that would appear to come from a legitimate Microsoft project.

Timeline

Microsoft has not released a detailed timeline. Based on available information:

  • Unknown date: Malware compromised developer credentials
  • Unknown date: Attacker obtained durabletask PyPI publishing token
  • Unknown date: Microsoft detected the compromise
  • Following detection: Microsoft removed 73 GitHub repositories
  • Post-removal: Microsoft notified affected customers

The lack of transparency here is itself a lesson. Your incident response plan should include disclosure timelines, not just technical remediation.

Which Controls Failed or Were Missing

1. Token Lifecycle Management

The durabletask PyPI token was stored in a way that allowed malware to extract it from a developer workstation. This indicates failures in:

  • Credential storage: The token was accessible to malware running with developer privileges.
  • Token rotation: No indication that tokens were regularly rotated or had expiration policies.
  • Scope limitation: The token had sufficient privileges to warrant removing 73 repositories.

2. Workstation Security

Developer endpoints were compromised by malware. This suggests gaps in:

  • Endpoint detection and response (EDR): The malware operated long enough to exfiltrate credentials.
  • Privilege separation: Developers had access to publishing tokens on their daily-use machines.
  • Network segmentation: No evidence of isolation between development and publishing environments.

3. Publishing Pipeline Controls

The attack succeeded because a single stolen token could compromise the publishing pipeline. Missing controls include:

  • Multi-party authorization: No requirement for multiple approvals before publishing.
  • Automated integrity checks: No system to verify that published packages matched reviewed code.
  • Anomaly detection: No alerts when publishing patterns changed.

4. Identity Governance

The incident reveals that Microsoft lacked sufficient oversight of:

  • Token inventory: Who has which tokens, with what scope, for how long.
  • Access reviews: Regular validation that token holders still need their access.
  • Privileged access monitoring: Real-time visibility into publishing actions.

What the Relevant Standards Require

PCI DSS v4.0.1

If your organization processes payment data, Requirement 8.3.2 mandates that authentication factors (including tokens) be secured against misuse. Specifically:

  • Tokens must be protected during storage and transmission.
  • Access to authentication credentials must be restricted to authorized personnel.
  • Cryptographic keys and tokens must be stored securely.

Requirement 12.10.7 requires that you detect, alert, and respond to security incidents. The lack of disclosure in this incident would fail most audit interpretations of timely incident response.

ISO/IEC 27001:2022

Control 5.15 (Access Control) requires organizations to limit access to information based on business requirements. A publishing token sitting on a developer's workstation violates the principle of least privilege.

Control 8.16 (Monitoring Activities) requires logging and monitoring of access to sensitive systems. Your publishing pipeline should log every token use with sufficient detail to reconstruct who published what and when.

NIST 800-53 Rev 5

AC-6 (Least Privilege) requires that you grant only the minimum privileges necessary. A token with permissions to publish across 73 repositories clearly violates this principle.

IA-5 (Authenticator Management) specifies requirements for token lifecycle management, including:

  • Establishing minimum and maximum lifetime restrictions.
  • Changing default authenticators.
  • Protecting authenticators against unauthorized disclosure.

SI-4 (System Monitoring) requires you to detect unauthorized use of credentials. Your publishing system should alert when tokens are used from unexpected locations, at unusual times, or with anomalous patterns.

Lessons and Action Items for Your Team

Immediate Actions

Audit your token inventory. List every publishing token your team uses—PyPI, npm, Maven Central, Docker Hub, GitHub Actions secrets. Document who created each token, what scope it has, when it expires, and where it's stored. If you can't answer these questions for every token, you have the same vulnerability Microsoft had.

Implement token rotation. Set maximum lifetimes for all publishing tokens. For PyPI specifically, use scoped tokens (introduced in 2019) that limit access to specific projects. Rotate tokens quarterly at minimum, monthly if you can automate it.

Separate publishing from development. Your developers should not have publishing tokens on their laptops. Move publishing to dedicated CI/CD systems with hardware security module (HSM) or secrets management backing. GitHub Actions, GitLab CI, and CircleCI all support secrets that never touch developer workstations.

Medium-Term Improvements

Require multi-party authorization for publishing. Implement a control where publishing to production requires approval from at least two people. Tools like Sigstore can cryptographically enforce this—a package isn't valid unless it has signatures from multiple authorized keys.

Add integrity verification. Before your CI/CD system publishes a package, it should verify that the package contents match your reviewed source code. This can be as simple as comparing git commit hashes or as sophisticated as reproducible builds that cryptographically prove the binary came from specific source.

Monitor for anomalies. Alert when:

  • A token is used from a new IP address or country.
  • Publishing happens outside normal working hours.
  • Package contents change in unexpected ways (new dependencies, size changes).
  • Multiple packages are published in rapid succession.

Governance Changes

Document your token lifecycle. Your security policy should specify:

  • Maximum token lifetime (30-90 days recommended).
  • Required scope restrictions (project-specific, not organization-wide).
  • Storage requirements (secrets manager, not environment variables).
  • Rotation procedures (automated where possible).
  • Revocation process (how quickly can you kill a compromised token?).

Run access reviews. Quarterly, verify that every person with a publishing token still needs it. Revoke tokens for departed employees, contractors who finished their projects, and anyone who hasn't published in 90 days.

Measure your detection time. Microsoft hasn't disclosed how long the attacker had access. You need to know your mean time to detection (MTTD) for credential compromise. Test this with purple team exercises—have your red team steal a test token and measure how long before your blue team notices.

The Microsoft incident happened because a single compromised developer workstation could access a publishing token with broad permissions. You prevent the same outcome by ensuring that no single point of failure can compromise your publishing pipeline. Start with the token audit—you can't protect what you don't know exists.

Topics:Incident

You Might Also Like

Miasma Worm Leak: When GitHub Became the Distribution Channel
4 min readFor Security Engineers

Miasma Worm Leak: When GitHub Became the Distribution Channel

What Happened The Miasma worm s source code was deliberately distributed on GitHub through compromised developer accounts. Unlike accidental exposures or proof-of-concept leaks, this was a targeted at

Read
84 npm Packages Poisoned Despite SLSA L3
5 min readFor Security Engineers

84 npm Packages Poisoned Despite SLSA L3

On May 11, 2026, attackers published 84 malicious npm packages across 42 @tanstack repositories. Each package carried cryptographically valid SLSA Build Level 3 attestations. If your team relies on SL

Read
7,000 Langflow Instances Exposed: CVE-2026-5027 Teardown
5 min readFor Security Engineers

7,000 Langflow Instances Exposed: CVE-2026-5027 Teardown

A path traversal vulnerability in Langflow—an open-source AI development platform with more than 149,000 GitHub stars—is being actively exploited. CVE-2026-5027 allows attackers to write arbitrary fil

Read