So Microsoft Deleted Some of Our Packages from Nuget.org Without Notice(aaronstannard.com)
6 pointsby ghuntleya day ago1 comment
  • bob1029a day ago
    > We are reaching out to inform you of an important update requirement for the Microsoft.Identity.Client package referenced in your project.

    > A previous version of this package contained a typo in a comment URL that inadvertently pointed to a typo squatting phishing site:

    > hXXps[:]//login[.]microsfoftonline[.]com/common

    I feel like actions were ~justified. Even if this is not on an authentication hot path. There is a perception around the .NET ecosystem that has to be maintained. Waiting for a package owner to respond could take a really long time.

    > We figured this was probably a nothing-burger and went about our business.

    QED

    • Aaronontheweba day ago
      To be fair, that's because their own Azure.Identity org hadn't even shipped an update addressing this vulnerability and they work in the same building.