Long story short: they messed up the assign-reviewers.yml workflow, allowing external contributors to merge PRs without proper reviews. From this point on, you're fully open to all kinds of bad stuff.
The workflow was configured in a way that allowed untrusted code from a branch controlled by the attacker to be executed in the context of a GitHub action workflow that had access to secrets.
Why does it need to be a distinct product and not Cursor/ChatGPT/Claude code/any of the other existing tools?
(If you're so anti-AI that you're still writing boilerplate like that by hand, I mean, not gonna tell you what you do, but the rest of us stopped doing that crap as soon as it was evident we didn't have to any more.)
codesparkle|3 months ago
The attacker did not need to merge any PRs to exfiltrate the credentials
codesparkle|3 months ago
The workflow was configured in a way that allowed untrusted code from a branch controlled by the attacker to be executed in the context of a GitHub action workflow that had access to secrets.
vanschelven|3 months ago
meowface|3 months ago
dreamcompiler|3 months ago
Oh, and describe for me exactly how it works and why. And be right about it.
slashdave|3 months ago
fragmede|3 months ago
(If you're so anti-AI that you're still writing boilerplate like that by hand, I mean, not gonna tell you what you do, but the rest of us stopped doing that crap as soon as it was evident we didn't have to any more.)
ivanjermakov|3 months ago