Between July 1st and July 10th, an internal error led to the unintended deletion of over 300 package versions from NuGet.org. This was not due to a security breach or external attack, but a result of flaws in our internal review and automation processes. We are truly sorry for the serious disruption this caused and take full responsibility.

Thank you to everyone who reached out with questions like the ones below. We wanted to share what happened, the impact, how we resolved it, and most importantly what we are doing to ensure it never happens again.

“Microsoft was able to delete some of our packages without notice—what's the explanation?”

“Will my packages be arbitrarily deleted again in the future without any notice the next time a Microsoft team introduces a severe vulnerability in their code?”

What Happened

After the discovery of a malicious website registered to a typo in a popular package (Microsoft.Identity.Client), we responded by removing certain dependent packages from NuGet.org as a precaution. A combination of automated tools, insufficient safeguards in review process, and miscommunication led to the erroneous deletion of hundreds of package versions.

This action, while intended to protect the ecosystem, inadvertently affected 111 package authors and their users. We are improving our processes immediately to ensure more robust safeguards and clearer communication moving forward.

Impact

• 210 packages (over 300 versions) were deleted from NuGet.org
• 111 authors were directly affected
• Multiple development pipelines broke, halting CI/CD workflows and blocking builds across numerous teams

Resolution

Once we identified the issue, all package deletion activities were halted right away to prevent further impact.

We took the following steps:

• Worked closely with our security teams to reassess the original threat and adjust the automation rules that contributed to the error
• Every deleted package was fully restored from backup, and we performed integrity checks to ensure each version matched the original and had not been altered
• Provided regular status updates on https://status.nuget.org/ and reached out directly to affected users
• Reached out individually to all affected maintainers to provide support and clarity
• Offered ongoing support through a dedicated channel for any remaining issues

As of July 16th, all impacted packages are restored and available on NuGet.org, with no data permanently lost.

Root Cause

The root cause of this incident was a flawed internal process that allowed a legitimate security concern to trigger incorrect action on a disproportionate scale. Specifically, a typo-squatting URL discovered in a single package led our automated systems to flag related packages as potentially unsafe due to transitive dependencies.

The decision to delete these packages was not malicious or externally influenced. Package removal is considered only in rare and extreme cases where there is potential for imminent harm to the NuGet community. However, in this instance the decision was made under incomplete information, ambiguous internal communication, and without a formal approval process appropriate for a high-impact action of this scale.

Improving Policy

To ensure this never happens again, we have overhauled our processes to prioritize caution, accountability, and communication. Deletion has always been a last resort to protect the NuGet community from the potential of imminent harm from a package. We are now adding checks to bolster the process to give strong preference for safer actions like un-listing or advisories.

New Safeguards

• Formal review process: Any action involving multiple packages or security concerns must now go through a formal review process with multiple levels of oversight, including executive approval
• Improved communication: Enhanced communication protocols to ensure maintainers are notified in advance with clear explanations before any package action is taken
• Refined security scanning: Improved security scanning to reduce false positives, especially for transitive dependencies
• Clear playbooks: Implemented clearer playbooks and terminology to guide incident response and avoid missteps in the future

Looking Forward

NuGet exists to support the developer community. In this case, we disrupted that mission. We are sorry for the impact caused and are committed to restoring your trust.

• ✅ The packages are back
• ✅ The initial threat has been addressed
• ✅ Our systems and processes are stronger because of this event

Thank you to everyone who spoke up and helped us respond faster and better. We're listening, we're learning, and we're improving.

If you're still affected or have further questions, please reach out to support@nuget.org

– The NuGet Team