A security researcher was able to add a counterfeit test package to the official list of Microsoft Azure SDK latest releases. The package has a disclaimer in multiple places clarifying that this is “NOT a dependency confusion test”” Microsoft has now removed the alexbirsantest package from the list of official Azure SDK releases. An attacker could easily disguise their malicious package with a name similar to other Azure SDK packages. An attack could potentially become the root cause of a software supply chain attack if downloaded by an unsuspecting developer or user.”
Source: https://www.bleepingcomputer.com/news/security/microsofts-azure-sdk-site-tricked-into-listing-fake-package/