* GitHub [which they own] failed to detect the account was compromised

* GitHub [which they own] allowed the contribution to ignore CI

* GitHub [which they own] failed to detect suspicious content on check-in

* GitHub [which they own] isn't sufficiently integrated into Microsoft security that the compromised token wasn't rolled.