Supply chain attacks are now targeting AI developers specifically
Microsoft's open source tooling was compromised to steal credentials from AI developers, with 73 repositories disabled according to the thread. This isn't a generic supply chain attack, it's targeted at the specific ecosystem AI developers use. The npm-scan thread from earlier in the week is clearly part of the same broader pattern.
The HN reaction is weary and not surprised. 'Another day, another supply chain vulnerability' is the tone. But the specificity of the targeting is new and worth flagging. Attackers are now going where the active development is happening, and AI tooling is where engineers are spending the most time right now.
The Gitdot Show HN, a Rust-based open source GitHub alternative, got positive attention in this context. The interest isn't purely technical, several comments mention GitHub's reliability and the appeal of self-hosting a forge. The supply chain concern is feeding a quiet desire for more control over where code actually lives.
So what?
If you're an AI developer, your credentials and your code are active targets right now. Audit what open source tooling you're using in your build pipelines, especially anything from the Microsoft/Azure ecosystem. The Gitdot thread suggests self-hosted git forges are having a moment worth evaluating for security-sensitive projects.