Security News > 2021 > March > Researcher adds their package to Microsoft Azure SDK releases list

Researcher adds their package to Microsoft Azure SDK releases list
2021-03-17 08:01

A security researcher was able to add a counterfeit test package to the official list of Microsoft Azure SDK latest releases.

The simple trick if abused by an attacker can give off the impression that their malicious package is part of the Azure SDK suite.

As of a few days ago, the Azure SDK releases page showed the authentic Microsoft Azure SDK releases alongside the mysterious package alexbirsantest.

One of the users pointed out that a GitHub commit was pushed by the "Azure-sdk" bot and added the alexbirsantest package to the CSV file supposedly used for populating the Microsoft Azure SDK releases page.

An adversary being able to add a malicious package with a name similar to other Azure SDK packages can easily disguise their malware as a part of the official Azure SDK releases.

As seen by BleepingComputer, Microsoft has now removed the alexbirsantest package from the list of their official Azure SDK latest releases.


News URL

https://www.bleepingcomputer.com/news/security/researcher-adds-their-package-to-microsoft-azure-sdk-releases-list/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400