Daylila

Information Technology · Tuesday, 9 June 2026

01 · Briefing · what happened

Hackers poisoned Microsoft's own open-source code to rob the developers building AI

Information Technology 5 min 80 sources

A supply-chain attack laced dozens of Microsoft's GitHub projects with password-stealing malware, aimed straight at engineers using Claude Code and other AI coding tools. Plus: Massachusetts bans selling your location, WhatsApp catches NSO spyware again, and Google lines up Intel as a chip backup.

Key takeaways

  • Hackers poisoned dozens of Microsoft's own open-source projects to steal the credentials of developers using AI coding tools — a supply-chain attack that never touched the victims directly.
  • Massachusetts passed a sweeping ban on selling precise location data, while WhatsApp accused NSO Group of breaking a court order with fresh spyware attacks — two fights over who gets to watch you.
  • Google ordered three million in-house AI chips from Intel, hedging its reliance on Taiwan's TSMC the same way a careful engineer keeps a backup supplier.

The biggest tech story today isn’t a launch. It’s a theft — and it happened inside the code that millions of developers trust by default.

Microsoft’s own tools were turned into traps

Sometime around June 8, someone broke into dozens of Microsoft’s open-source projects on GitHub and quietly added password-stealing code [1]. The targets weren’t random. The poisoned tools were ones AI developers reach for constantly — Azure cloud utilities and packages that get pulled into AI coding apps like Claude Code, Gemini CLI, and VS Code [1]. When a developer opened a compromised tool inside one of those apps, the malware grabbed their credentials [1].

Microsoft pulled at least 70 projects offline while it investigated, telling a “small number of customers” they’d been hit [1]. The company’s Ben Hope said only that it “temporarily removed some repositories as we investigated potential malicious content” [1]. The breach was spotted not by Microsoft first but by outside researchers — the security firm Cloudsmith, the tracking site OpenSourceMalware, and reporters at 404 Media [1]. One project, called Durable Task, appears to have been hit twice, once in mid-May and again now [1].

What this actually is. Call it a supply-chain attack — the term for poisoning code that lots of people install, so one break-in spreads to thousands of machines. You don’t have to be careless to get caught. You just have to install a package you’ve installed a hundred times before, from a source as trusted as Microsoft. The attacker doesn’t come through your front door; they ride in on something you invited.

Why now. AI coding tools changed the math. They pull in dozens of small open-source packages automatically, fast, with developers watching the output instead of reading every dependency. That speed is the point — and it’s exactly what makes a poisoned package easy to miss. The more your work runs on code other people wrote, the more your security depends on people you’ll never meet.

The angle. If you write software, this is the week to check what your build actually pulls in. Tools that list every dependency and flag changes — Cloudsmith does this, and it’s not alone — stop being optional once your AI assistant is installing packages faster than you can read them. The practical question isn’t “is my code clean?” It’s “do I know everyone whose code is now running as mine?”

Two fights over who can watch you

Surveillance had a loud day, on both sides of the line.

In Massachusetts, the House voted 146–0 to pass a privacy law that bans selling residents’ precise location data — the GPS-grade trail that says not just “Boston” but which building, which floor, which doctor’s office [10]. The Massachusetts Consumer Data Privacy Act also blocks selling biometric data and information about someone’s religion, immigration status, or sexual orientation without explicit consent [10]. It covers any company handling data on 100,000 or more people, and it protects anyone inside the state’s borders, not just residents [10]. The ACLU called it a “landmark”; the timing matters because the federal government recently dropped its own plan to rein in data brokers, pushing the fight down to the states [10].

On the other side, WhatsApp said it caught a fresh wave of attacks tied to NSO Group — the Israeli company behind Pegasus, spyware that can quietly turn a phone into a listening device [35]. This campaign used phishing: fake accounts and groups trying to trick people into clicking a malicious link, not the silent zero-click infections NSO is infamous for [35]. The sharper detail is legal. In 2025 a court ordered NSO to stop targeting WhatsApp users entirely [35]. WhatsApp says this new campaign breaks that order, and it filed a contempt motion to make the court enforce it [35]. The original 2019 NSO campaign hit more than 1,400 people [35]; the company didn’t say how many were targeted this time.

The thread between the two stories: your location and your messages are valuable to people you can’t see, and the only real brakes are legal ones. A unanimous state vote and a contempt motion are both bets that the law can do what the technology can’t.

Google hedges its chip bet

A quieter but telling move: Google has reportedly ordered Intel to manufacture more than three million of its in-house AI chips — called TPUs, the custom processors Google designs to run its own models — for delivery in 2028 [9]. Nvidia is also said to be testing whether Intel can build a processor that fuses four graphics chips into one, though it hasn’t placed an order [9]. Intel’s stock jumped more than 9% on the report and is up nearly 169% this year [9].

The reason to care isn’t the stock pop. It’s that the giants want a second factory. For years, advanced chips have flowed almost entirely through Taiwan’s TSMC. Lining up Intel as a backup is the same instinct as auditing your dependencies — when everything you do runs through one supplier, the smart move is to make sure there’s a second one before you need it.

Consumer note: Apple’s slow lane

At its developer conference, Apple announced iOS 27, watchOS 27, and a Siri rebuilt around AI — the long-delayed smart-assistant overhaul it first promised more than a year ago [5][23]. The reception was cool: Apple’s shares flipped negative during the keynote as investors decided “Siri AI” still looked behind, not ahead [20]. The new watchOS will only run on Apple Watch Series 9 and later, which means a lot of existing watches won’t get it [5]. The pattern holds — Apple ships refinement and catch-up where rivals ship grand claims, and the market keeps asking whether careful is fast enough.

The under-covered one: the list that names names

The Pentagon expanded its roster of firms it deems linked to China’s military, adding Alibaba and Baidu — two of China’s biggest internet companies [41]. The list doesn’t ban anything by itself, but it’s a signal that shapes who American firms and investors are warned away from. It landed just as US–China trade talks were thawing, and it’s a reminder that for the largest tech companies, the most consequential decisions increasingly come from governments, not engineers [41].

02 · Lesson · why it matters

You don't trust the thing — you trust everyone who touched it

When you install a piece of code, you're not checking the code. You're trusting a chain of strangers — and most of life runs on that same borrowed trust.

A break-in where nobody broke into you

The developers who got robbed this week did nothing careless. They opened tools they’d opened a hundred times before, from Microsoft, one of the most trusted names in software. The tools had been quietly poisoned upstream. The credentials walked out the door.

Notice what didn’t happen. No one guessed a password. No one tricked a victim into clicking a bad link. The attacker never touched the developers at all. He touched something the developers depended on — and let the dependency carry him the rest of the way in.

Trust is transitive, and that’s the whole problem

Here is the quiet fact under the headline. When you install a package, you are not deciding “is this code safe?” You can’t read it all; nobody can. What you’re actually deciding is “do I trust the people who made it?” And those people, in turn, trusted their dependencies — other packages, other strangers. Trust passes down the chain like a handshake passed hand to hand.

So your real security isn’t the size of your own walls. It’s the trustworthiness of the most distant person whose code ends up running as yours. You inherit every handshake they made. A modern program isn’t one author’s work — it’s a tower of borrowed trust, hundreds of strangers deep, and you stand on top of it.

Speed widened the door

Why now? Because AI coding tools changed how fast the tower gets built. They pull in dependencies automatically, quickly, while the developer watches the result instead of reading each piece. That speed is the entire selling point. It’s also what let a poisoned package slip past unread.

This is a general shape, not a software quirk. Whenever you make a chain faster, you make it harder to inspect each link. The convenience and the blind spot are the same thing seen from two sides. You rarely get one without the other.

You already live this way

Step back from the screen, because this isn’t really a developer story. It’s the story of how you got through today.

You ate food grown by people you’ll never meet, shipped through hands you can’t name. You took medicine you didn’t test, formulated by chemists you’ll never check. You crossed a bridge you didn’t inspect, drank water you didn’t sample, moved money through banks whose books you’ll never read. Every one of those is a poisoned-package risk. You ran them all anyway, because the alternative — verifying everything yourself — isn’t a life anyone can lead.

We don’t survive by trusting only what we can personally check. We survive by borrowing trust from chains of strangers, the same way the developers did. The developers got burned this week. But the choice they made — to depend on people they couldn’t audit — is the choice all of us make, every hour, in order to live at all.

What seeing this is for

The lesson isn’t “trust no one.” A person who trusts nothing builds nothing and eats nothing. The lesson is humbler than that: most of what holds your day together rests on hands you can’t see, and you can’t watch all of them. The bridge holds because a stranger did their job. The package was safe a hundred times because a stranger did theirs.

That should make anyone hold their sense of self-sufficiency a little more loosely. The “I did this myself” feeling is mostly a trick of the parts you can see. The developer felt safe right up until an unseen link gave way — and so do the rest of us, on every chain we ride without noticing it’s there.

03 · Lab · your turn

The Trust You Borrow

Rehearse deciding which dependencies to audit and which to trust, and feel that you can't verify the whole chain yourself.

More from Information Technology

The US ordered Anthropic to kill its two most powerful AI models — overnight South Korea fines Coupang $400M for a breach that exposed two-thirds of the country Canada moves to ban social media for under-16s, and the fix means checking everyone's age

Across the beats

Hundreds of trusted software packages were quietly hijacked — the name stayed the same, the recipe didn't An investor wants the studio behind Elden Ring to "maximise earnings" — and the dev says that's the threat The Chiefs gave Mahomes a half-billion dollars — and locked themselves in