pull down to refresh

0 sats \ 2 replies \ @cryptocoin OP 3 Aug 2022 \ parent \ on: 🧵 Widespread malware attack on GitHub bitcoin
I have yet to find a single real GH org; it's all copies with 0 stars, created in the last 6-10 days.

Still something @github needs to cleanse, but far, far more limited than the quoted tweet makes it sound.
view on twitter.com
As this is making the rounds, some more context:

This appears to be an extremely broad, low value, low effort, and likely low impact attack.

Given two major *coin attacks in the last 24 hours or so, infosec news gets more attention than usual.

https://twitter.com/TwitchiH/status/1554725705438601216
https://nitter.net/TwitchiH/status/1554725705438601216

write
preview
10 sats \ 1 reply \ @cryptocoin OP 3 Aug 2022
If you use npm, go get or other automatic dependency grabbing systems you better be pinning deps to particular hashes.

Do not blindly trust deps by name.

Do not allow deps to automatically upgrade to a newer version.

Hard part: Your deps might be blindly trusting their deps.

https://twitter.com/stephenlacy/status/1554697077430505473

https://twitter.com/wtogami/status/1554716537323302912
https://nitter.it/wtogami/status/1554716537323302912

reply
0 sats \ 0 replies \ @cryptocoin OP 4 Aug 2022

UPDATE

GitHub is investigating the Tweet published Wed, Aug. 3, 2022:
  • No repositories were compromised
  • Malicious code was posted to cloned repositories, not the repositories themselves
  • The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts

https://twitter.com/GitHubSecurity/status/1554843443200806913
https://nitter.it/GitHubSecurity/status/1554843443200806913

reply