alt Hacker NewsI can explain why I doubt him.
The evidence supporting his claim is a screenshot of an Excel spreadsheet with several columns excluded. It appears to have been exported from the DeviceProcessEvents table within the advanced threat hunting schema. However, he failed to provide the threat hunting dashboard view, which would include critical context such as the process tree, MD5 hash, account SID, account domain, and process creation time. Given that he clearly has access to Microsoft Defender XDR or Defender for Endpoint, he has the capability to conduct a thorough investigation. Yet, he did not do so, nor did he include that information in his legal submission. As a result, I find his claims unconvincing.
As for the forked repo deletion - I have no clue. It seems like the repo was already well known. I'm not a dev so I'd defer to a dev's opinion here. The system owner could be function testing, fuzzing, performance testing, ect. Why didn’t he show the process tree, the system name, and netflow to prove that system running code was interacting with prod? – He clearly has access to Azure tools that would allow him to do that.
Thanks for chiming in with your experience. Would you attribute the doubt to a DevOps person without Security experience, or someone with ulterior motives? Has CISA determined the lost credentials to be password stuffing or endpoint compromise? Seems plausible that DOGE staff had infostealers on their endpoints and the automated validation of those credentials did not include a review of where they got them or whether it will be noticed.
The (under oath) claims of extraction of data seem strange for the reasons you mentioned but so do the threats as well as the NLRB PR rep stating that DOGE was never there, I think there's more to be discovered that could clarify what happened.