Microsoft Azure Portal Dependency Confusion Vulnerability Disputed by MSRC Despite RCE Evidence
In January 2026, security researcher Wahid Fayad uncovered a dependency confusion vulnerability in Microsoft’s Azure Portal that could enable remote code execution (RCE). While analyzing JavaScript assets on portal.azure.com, Fayad identified a require statement referencing an internal NPM module, @FxInternal/NetDiagnostics, which did not exist in the public NPM registry. This left the namespace unclaimed and vulnerable to exploitation a technique popularized by researcher Alex Birsan in 2021.
To test the flaw, Fayad registered the @fxinternal namespace and published a placeholder package with an out-of-band (OOB) HTTP callback payload. Within hours, the callback executed from Microsoft’s infrastructure (AS8075), confirming RCE. The exfiltrated data included internal hostnames, usernames, and node_modules paths, all tied to Microsoft’s development or pipeline environments.
Fayad reported the issue to Microsoft’s Security Response Center (MSRC) on January 28, 2026, providing logs showing Azure backend requests validating the package’s execution. Despite this evidence, MSRC closed the case on March 24, asserting the callback originated from "automated security tooling" rather than production systems. After appeals, MSRC maintained the package was "always loaded from an internal source," dismissing the risk of injection.
However, the incident triggered broader security concerns. Within a week, threat-intelligence platforms flagged @fxinternal/netdiagnostics as a supply-chain threat, and GitHub’s Advisory Database assigned it a 9.3 Critical severity rating (CWE-506: Embedded Malicious Code). The advisory validated the risk independently, regardless of Microsoft’s internal assessment.
The case highlights ongoing friction between researchers and MSRC, echoing disputes from the Nightmare-Eclipse saga where six Windows zero-days were exploited in the wild before patches were issued. While Microsoft’s May 2026 security blog documented active dependency confusion attacks targeting NPM packages, the Azure Portal incident underscores the downstream risks: any external developer or CI/CD pipeline mirroring Azure’s assets could inadvertently pull malicious code from the public registry.
Microsoft’s dismissal of the RCE evidence contrasts with third-party security systems treating the package as a high-severity threat, raising questions about vulnerability classification processes.
Source: https://cybersecuritynews.com/microsoft-dependency-confusion-msrc-report/
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
"id": "MICGIT1780410287",
"linkid": "microsoft-security-response-center, github",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Developers and CI/CD pipelines '
'mirroring Azure’s assets',
'industry': 'Technology/Cloud Services',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Corporation'}],
'attack_vector': 'Supply Chain Attack',
'data_breach': {'data_exfiltration': 'Yes (OOB HTTP callback)',
'personally_identifiable_information': 'No',
'sensitivity_of_data': 'Low (internal metadata)',
'type_of_data_compromised': 'Internal infrastructure details '
'(hostnames, usernames, '
'node_modules paths)'},
'date_detected': '2026-01',
'description': 'In January 2026, security researcher Wahid Fayad uncovered a '
'dependency confusion vulnerability in Microsoft’s Azure '
'Portal that could enable remote code execution (RCE). The '
'flaw involved an unclaimed internal NPM module '
'(@FxInternal/NetDiagnostics), which was vulnerable to '
'exploitation. Fayad registered the namespace and published a '
'placeholder package with an OOB HTTP callback payload, which '
'executed within Microsoft’s infrastructure, confirming RCE. '
'MSRC dismissed the issue, claiming the callback originated '
'from automated security tooling rather than production '
'systems, despite third-party advisories assigning it a '
'Critical severity rating.',
'impact': {'brand_reputation_impact': 'Raised concerns about MSRC’s '
'vulnerability classification processes',
'data_compromised': 'Internal hostnames, usernames, node_modules '
'paths',
'operational_impact': 'Potential supply chain risk for developers '
'mirroring Azure’s assets',
'systems_affected': 'Microsoft Azure Portal backend '
'infrastructure'},
'investigation_status': 'Disputed (MSRC closed the case; third-party '
'advisories flagged as Critical)',
'lessons_learned': 'Dependency confusion vulnerabilities pose significant '
'supply chain risks. Discrepancies between vendor and '
'third-party security assessments highlight the need for '
'transparent vulnerability classification processes.',
'motivation': 'Security Research',
'post_incident_analysis': {'root_causes': 'Unclaimed internal NPM namespace '
'(@fxinternal) left vulnerable to '
'dependency confusion attacks.'},
'recommendations': ['Organizations should monitor for unclaimed internal '
'package namespaces in public registries.',
'Implement strict internal package resolution policies to '
'prevent dependency confusion attacks.',
'Enhance collaboration between security researchers and '
'vendors to validate reported vulnerabilities.'],
'references': [{'source': 'GitHub Advisory Database'}],
'response': {'communication_strategy': 'MSRC dismissed the issue; third-party '
'advisories (GitHub) assigned Critical '
'severity'},
'stakeholder_advisories': 'Third-party security platforms (e.g., GitHub) '
'issued Critical severity advisories for '
'@fxinternal/netdiagnostics.',
'threat_actor': 'Wahid Fayad (Security Researcher)',
'title': 'Microsoft Azure Portal Dependency Confusion Vulnerability Disputed '
'by MSRC Despite RCE Evidence',
'type': 'Dependency Confusion',
'vulnerability_exploited': 'CWE-506: Embedded Malicious Code'}