Microsoft MSRC Allegedly Declines Action on Dependency Confusion Vulnerability

A security researcher demonstrated a dependency confusion issue in Azure Portal assets by claiming an unregistered internal npm namespace and publishing a package that produced an out-of-band callback from Microsoft infrastructure, exposing execution context; MSRC closed the report as non-exploitable (attributing activity to internal tooling) despite PoC RCE evidence and the package being added to the GitHub Advisory Database with a CVSS 9.3 rating, underscoring supply-chain risks to external developers.