What's your post mortem, then? As in - what happened and how should it be read?

Microsoft's open source projects the target of a supply chain attack and they decided to restrict access to understand and limit exposure ? Something a little more 'true' and less targetted?

▲

philipwhiuk 4 hours ago | parent [-]

Azure are able to be targets of supply chain attack because of the supply chain ecosystem that they still own. It's not really a supply chain when it's still yours.

▲

bilekas 3 hours ago | parent [-]

> It's not really a supply chain when it's still yours.

I don't personally buy that, they offer a package manager in the form of nuget for example, if their products there are compromised, they're well withing normal reach to block THEIR packages, but why would they need to block the rest ?

Maybe I'm missing something dumb

	▲	philipwhiuk a minute ago \| parent \| next [-]
		* GitHub [which they own] failed to detect the account was compromised * GitHub [which they own] allowed the contribution to ignore CI * GitHub [which they own] failed to detect suspicious content on check-in * GitHub [which they own] isn't sufficiently integrated into Microsoft security that the compromised token wasn't rolled.
	▲	raffael_de 2 hours ago \| parent \| prev [-]
		[dead]