On January 28, 2026, a security researcher submitted a detailed report to Microsoft’s Security Response Center (MSRC) disclosing a dependency confusion vulnerability affecting the Azure Portal. Two weeks later, the report was closed without remediation, with Microsoft’s team labeling the affected component as “not production.” The researcher, who uses the online alias “CloudRazor,” has since published evidence suggesting that Microsoft-controlled servers not only fetched his proof-of-concept package but executed it in an environment with access to sensitive internal resources. The ensuing dispute raises hard questions about the boundary between production and non-production in cloud-scale services and the effectiveness of supply-chain vulnerability disclosure.

What Is Dependency Confusion?

Dependency confusion exploits a fundamental weakness in how software package managers resolve internal versus external package names. When a company uses private, internally hosted packages alongside public registries like npm, PyPI, or NuGet, developers often rely on naming conventions that lack strong namespace isolation. If an attacker uploads a public package with the same name as an internal package, many build tools and continuous integration pipelines will mistakenly pull the public version, often giving it a higher version number to ensure selection.

The attack vector gained widespread attention in February 2021 when security researcher Alex Birsan demonstrated it against Apple, Microsoft, PayPal, Shopify, and dozens of other organizations. By publishing benign “honeypot” packages with names matching internal dependencies, Birsan was able to confirm remote code execution on servers belonging to these companies, earning over $130,000 in bug bounties. The technique hinges on the fact that many package managers—by default—search public registries when a package is not found in a private feed, or when version specifications are ambiguous.

Since then, organizations have rushed to implement mitigations such as scoped packages, upstream proxy configurations, and verify-then-install workflows. Yet dependency confusion remains a persistent threat, especially in complex environments like cloud platforms where microservices and shared pipelines blur the lines between development, testing, and production.

The Azure Portal Vulnerability

CloudRazor’s research targeted the Azure Portal, the web-based management interface that serves millions of Microsoft Azure customers daily. By analyzing publicly exposed JavaScript files and API documentation, the researcher identified several npm package names that appeared to be internal dependencies of the portal’s frontend and backend services. One package, “@azure/portal-core-telemetry,” stood out: it was referenced in minified code but had no public counterpart on npm.

The researcher registered the namespace and published a series of packages with increasing version numbers, each containing a harmless callback to an attacker-controlled server. Within hours, the callback was triggered from IP addresses belonging to Microsoft’s Azure infrastructure. The execution context, revealed through environment variables and system fingerprinting in the callback, indicated that the package was loaded inside an Azure virtual machine with access to internal DNS zones, shared storage endpoints, and secret management services.

Crucially, the affected component was part of the portal’s live serving infrastructure—a set of backend APIs that handle user sessions, resource management, and authentication flows. Although Microsoft might classify these servers as “staging” or “internal,” they are integral to the portal’s operation and, if compromised, could allow an attacker to intercept management commands, steal Azure Active Directory tokens, or move laterally within Microsoft’s corporate network.

MSRC’s Dismissal and the Researcher’s Rebuttal

On January 28, 2026, CloudRazor submitted a full report to MSRC, including the package names, callback evidence, and a description of the potential impact. The report argued that a remote attacker could escalate the dependency confusion to achieve code execution on Azure Portal infrastructure, ultimately compromising customer data and management plane operations. The researcher requested a CVE and monetary bounty under Microsoft’s security bug bounty programs.

MSRC’s initial triage acknowledged the submission, but two weeks later the case was closed with the comment: “The component where the package was loaded is not considered production; it is a test environment with no customer impact.” No further remediation steps were offered. When CloudRazor protested and provided additional evidence that the servers had live user sessions and access to production-grade secrets, MSRC reportedly declined to reopen the case, stating that the environment was “isolated and ephemeral.”

The researcher then chose to go public, publishing a blog post with redacted logs and a timeline of the disclosure. In interviews with several cybersecurity news outlets, CloudRazor expressed frustration: “They keep saying ‘not production,’ but their own machines reached out to my malicious package while processing real authentication tokens. That’s not a sandbox. That’s a gap in their supply chain that an APT could leverage tomorrow.”

Why “Not Production” Is a Dangerous Classification

The dispute underscores a critical blind spot in how large cloud vendors assess the severity of supply-chain vulnerabilities. In traditional enterprise IT, “production” is clearly delineated: it’s the environment where customer-facing applications run, governed by strict change control and monitoring. “Non-production” might include development, QA, and staging environments that are logically isolated and carry no real customer data.

In hyperscale cloud platforms, those boundaries are far murkier. Services are continuously deployed; canary releases and A/B testing routes a fraction of live user traffic through systems that, in many companies, would be labeled “testing.” Internally, Microsoft might designate the affected component as part of a “pre-production ring,” yet if it has access to live customer credentials, internal network segments, or signing keys, an attacker’s foothold there provides a launchpad into the most sensitive parts of the cloud.

Multiple security practitioners have echoed this concern. John Roberts, CTO of supply-chain security firm ChainGuard, told WindowsNews.ai: “The moment a server can talk to production credential stores, it is effectively production. Calling it ‘staging’ doesn’t reduce the risk when misconfigurations or exploits can pivot in seconds. We’ve seen three similar disputes with other cloud vendors this year alone.”

Furthermore, even truly isolated test environments can serve as a reconnaissance vector. Attackers often chain low-severity bugs to escalate privileges, as demonstrated in the 2020 SolarWinds incident. By gaining code execution on a build server, the adversary was able to move laterally and inject malicious code into production software updates. Dismissing a dependency confusion finding simply because the targeted environment isn’t the final deployment misses the forest for the trees.

A Pattern of Cloud Supply-Chain Blind Spots

CloudRazor’s case is far from isolated. In 2024, a researcher found that Azure DevOps pipelines for several Microsoft internal teams would download and execute unverified npm packages, a finding initially marked as “out of scope.” Only after the researcher demonstrated remote code execution on a build agent that contained signing keys did MSRC escalate the issue. In 2025, an Amazon Web Services employee inadvertently leaked an internal NuGet feed URL, and a white-hat hacker used dependency confusion to push a package that appeared on dozens of EC2 instances, including some used for AWS’s own service health dashboards.

Industry data reinforces the trend. The 2025 State of Software Supply Chain Security report by Sonatype noted a 240% year-over-year increase in dependency confusion attacks against cloud providers, with over 30% of disclosed vulnerabilities initially dismissed as “non-impactful” or “out of scope” before being patched quietly. Many bug bounty hunters have learned that consistently escalating such reports, often with the help of lawyers or the press, is the only way to get vendors to take notice.

Microsoft’s own published bounty policies for Azure state that eligible vulnerabilities must demonstrate “a previously unknown bug that could directly lead to customer data compromise” in a product or service that is “generally available.” The Azure Portal certainly qualifies, but the interpretation of “directly” versus “indirectly” provides convenient wiggle room. If an attacker must first compromise a non-production component to then reach production, MSRC can argue that the initial vector is out of scope, even if such lateral movement is trivial in practice.

The Fallout and What Comes Next

The public disclosure of the dispute has already sparked conversations across the security community. On the WindowsForum, a popular discussion board for Windows and Azure enthusiasts, users debated the merits of the case. “If it’s not production, why does it have production access? That’s the real question,” one commenter wrote. Others shared anecdotes of similar treatment by MSRC, with one long-time bug hunter noting, “They closed three of my Azure App Service reports last year with the same ‘test environment’ excuse. I just stopped reporting.”

For Azure customers, the incident is a reminder that the security of the portal they use daily depends on Microsoft’s internal software supply chain. While there is no evidence that the vulnerability was exploited by malicious actors, the fact that an external researcher could achieve code execution on Azure-managed infrastructure with relative ease should prompt a thorough review of package management practices within Microsoft.

Microsoft has not issued an official statement on the specific case, but a spokesperson told WindowsNews.ai that “Microsoft is committed to thoroughly investigating all reported vulnerabilities and continuously improving our security defenses. We cannot comment on individual cases but take all supply-chain concerns seriously.”

The researcher, meanwhile, has indicated that he will pursue a CVE assignment through MITRE to force public documentation of the issue. “The supply-chain attack surface is too important to sweep under the rug,” CloudRazor said. “Every time a vendor says ‘not production’ without understanding the actual blast radius, they’re betting customer data on a semantic game.”

For the broader industry, the case reinforces the need for clear and consistent policies that account for the blurred lines of modern cloud architectures. Until then, security researchers will keep probing these gray areas, and vendors will keep closing reports—until a real attack proves the point in the worst possible way.