// Alert

Microsoft Azure threat report

Security researcher Wahid Fayad discovered a dependency confusion vulnerability in Azure Portal assets on June 2, 2026. An internal Node.js package, FxInternal/NetDiagnostics, was not registered on the public NPM registry. After registering the unclaimed @fxinternal namespace and publishing a malicious package, the researcher confirmed remote code execution by triggering out-of-band callbacks from Microsoft-owned systems. Microsoft MSRC declined to treat the issue as a vulnerability, claiming the dependency was resolved internally and activity originated from automated security tooling. The package was later assigned GHSA-83×6-432q-hpcf with CVSS 9.3 (Critical) severity.

// Get alerts for Microsoft Azure