Axios Npm Supply Chain Compromise – Guidance for Azure Pipelines Customers
On March 31 2026 malicious versions of the popular JavaScript HTTP client Axios (1.14.1 and 0.30.4) were briefly published to the npm registry, embedding a hidden dependency that contacted attacker‑controlled servers. The supply‑chain breach can affect Azure Pipelines builds that resolve dependencies during CI/CD runs, especially when custom scripts, self‑hosted agents, or third‑party extensions are used. Microsoft‑hosted agents running only built‑in tasks remain unaffected, but any pipeline that installed the compromised packages may have exposed secrets. Microsoft advises reviewing logs, rotating credentials, and clearing caches.
Azure DevOps MCP Server April Update
Microsoft released the April update for Azure DevOps MCP Server, adding a new `wit_query_by_wiql` tool for work‑item queries and expanding remote server capabilities with annotations and tool consolidation. The remote preview now tags tools as read‑only, destructive or open‑world and...
One-Click Security Scanning and Org-Wide Alert Triage Come to Advanced Security
Microsoft Azure DevOps Advanced Security now offers two major capabilities: a CodeQL default setup that enables one‑click, organization‑wide code scanning without manual pipeline configuration, and a combined alerts experience in Security Overview that consolidates all repository alerts into a single...
April Patches for Azure DevOps Server
Microsoft released Azure DevOps Server Patch 3, the latest update for its self‑hosted DevOps platform. The patch addresses a null‑reference exception that could abort pull‑request completions, tightens sign‑out validation to block malicious redirects, and resolves a failure when creating personal access...
Authentication Tokens Are Not a Data Contract
Azure DevOps announced that authentication tokens will be encrypted this summer, rendering their payloads unreadable to client applications. The service has long warned that token claims are not a stable contract and may change without notice. Developers who decode token...
March Patches for Azure DevOps Server
Microsoft has released Patch 2 for Azure DevOps Server on March 13 2026, addressing a defect that could deactivate group memberships. The update applies to on‑premises installations that were deployed before the re‑published release and completes remediation for customers who previously ran the...
Condensed Views on Kanban and Sprint Boards
Azure DevOps is adding a condensed view option to its Kanban and Sprint boards, letting users switch between the standard card layout and a compact view that displays only the work item ID and title. The feature addresses screen‑space constraints...
February Patches for Azure DevOps Server
Microsoft released February 2026 patches for its self‑hosted Azure DevOps Server suite, covering the core product and the 2022.2, 2020.1.2, and 2019.1.2 releases. Each patch is available via direct download links and includes detailed release notes. The company urges all...