A Microsoft Research Asia team published a tool called Vibing (via Microsoft Store and GitHub) that silently captures screenshots, clipboard contents, microphone audio, and keystrokes, sending them to a Microsoft Azure endpoint with unique per-machine GUIDs — all without user consent or disclosure. The software is signed by a Microsoft employee but disguised as a community open-source project with no actual source code. Its privacy policy falsely claims no third-party data sharing. Microsoft employees linked to the project have ignored developer concerns raised on GitHub. The author identifies multiple privacy and security violations and provides IoCs for detection.
Table of contents
Get Kevin Beaumont ’s stories in your inboxWhat does Vibing do?Security concernsPrivacy concernsWhat is Microsoft doing about this?Sort: