Microsoft declined to treat a dependency confusion incident affecting Azure Portal assets as a security vulnerability after a researcher demonstrated remote code execution (RCE) via a publicly published NPM package.
Security researcher Wahid Fayad discovered that a Node.js internal dependency referenced by portal.azure.com FxInternal/NetDiagnostics was not published to the public NPM registry.
Recognizing a classic dependency confusion vector, the researcher registered the unclaimed @fxinternal namespace and published a benign package named netdiagnostics.
Because the internal dependency was unresolved, Microsoft-controlled systems appeared to resolve and fetch the publicly published package.
To validate impact, the researcher released a higher-version package that performed an out-of-band (OOB) HTTP callback when executed.
Shortly after publishing the package, a callback originating from an IP range linked to AS8075 (Microsoft Corporation) was observed.
The callback included contextual data that demonstrated code execution inside a Microsoft environment, such as an internal hostname (DESKTOP-XXXXXX), a local node_modules path, and the username of the running process.
These findings indicate externally hosted code ran within a Microsoft system and therefore demonstrate a supply chain exposure with potential RCE implications.
Microsoft’s Response
Fayad disclosed the issue to the Microsoft Security Response Center (MSRC) on January 28, 2026. MSRC reviewed the submission and concluded the dependency was resolved internally.
They classified the activity as originating from internal automated security tooling rather than a production or runtime path, and therefore assessed the issue as non-exploitable. MSRC closed the report on March 24, 2026.
Following the initial closure, the researcher submitted additional telemetry and backend validation requests tied to Azure services.
MSRC reviewed these follow-ups but declined to change their determination, maintaining that observed activity did not represent a vulnerability in production systems.
Timeline
- Jan 28, 2026: Discovery, namespace registration, RCE validation.
- Feb 2026: MSRC disputes exploitability, attributes execution to telemetry.
- Mar 24, 2026: Case closed as non-vulnerable.
- Apr–May 2026: Appeals rejected; ecosystem impact shared.
- Jun 2, 2026: Public disclosure.
No Comment! Be the first one.