Hacker News new | past | comments | ask | show | jobs | submit login

> In this specific case, the bad actor changes all of the version tags to point to their malicious commit: https://github.com/tj-actions/changed-files/tags

This required compromising the entire repository, yes? It can't be explained as the maintainer being tricked into merging something malicious?




Yes. It was probably a maintainer's creds being compromised.

The [malicious commit is masquerading as a commit from Renovate](https://github.com/tj-actions/changed-files/commit/0e58ed867...)((https://github.com/apps/renovate) but it's not a `verified` commit (and so it's trivial for a bad actor to masquerade as them).

https://stackoverflow.com/questions/67609381/why-do-all-my-g...


The repo looks like it uses itself in its workflows, so it's possible that the commit being merged resulted in the necessary credentials being leaked to the attacker.


There doesn't seem to be a PR for the commit though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: