Microsoft Compromised: 73 Repositories Disabled in Automated Attack via GitHub Actions

Summary

Microsoft experienced a significant security incident affecting its Azure Functions and GitHub Actions integration, resulting in 73 repositories being automatically disabled within 105 seconds. The attack, reported by security researcher 6mile on OpenSourceMalware, appears to have exploited vulnerabilities in the GitHub Actions CI/CD pipeline tied to Azure Functions, triggering an automated mass-disablement event across affected projects.

The rapid scope and speed of the incident—disabling 73 repos in just 105 seconds—suggests a coordinated or automated attack rather than manual intervention. The compromise raises concerns about the security of cloud automation workflows and the potential for cascading failures when CI/CD systems are compromised. Azure Functions, Microsoft's serverless computing service, relies heavily on GitHub Actions integration for deployment and automation, making it a critical attack surface.

• Organizations using Azure Functions with GitHub Actions may need to review authentication mechanisms and deployment permissions

Editorial Opinion

This incident is a stark reminder that cloud infrastructure security is only as strong as its weakest integration point. When CI/CD systems can disable entire repository clusters in seconds, the implications go beyond individual projects—they suggest potential architectural blind spots in how major cloud providers manage third-party automation access. Microsoft should be transparent about whether this was a credential compromise, a permission escalation issue, or a configuration flaw, as customers depend on Azure's security model for critical deployments.