top | item 45619400

(no title)

nyouhd | 4 months ago

Not to defend the pull_request_target, it is dangerous... But, am I the only one who think it was a stretch to say "just like that, we had a github actions token with read/write access to nixpkgs"?

They were able to dump arbitrary file to logs. The secrets were automatically obfuscated with *** in the logs. How could they exfiltrate the token?

discuss

No comments yet.