**UPDATE**

> GitHub is investigating the Tweet published Wed, Aug. 3, 2022:
> * No repositories were compromised
> * Malicious code was posted to cloned repositories, not the repositories themselves
> * The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts

https://twitter.com/GitHubSecurity/status/1554843443200806913
https://nitter.it/GitHubSecurity/status/1554843443200806913

cryptocoin

If you use npm, go get or other automatic dependency grabbing systems you better be pinning deps to particular hashes.

Do not allow deps to automatically upgrade to a newer version.

Hard part: Your deps might be blindly trusting their deps.

https://twitter.com/stephenlacy/status/1554697077430505473

https://twitter.com/wtogami/status/1554716537323302912

https://nitter.it/wtogami/status/1554716537323302912

bitcoin

🧵 Widespread malware attack on GitHub

> If you use npm, go get or other automatic dependency grabbing systems you better be pinning deps to particular hashes.
> 
> Do not blindly trust deps by name.
> 
> Do not allow deps to automatically upgrade to a newer version.
> 
> Hard part: Your deps might be blindly trusting their deps.
> 
> https://twitter.com/stephenlacy/status/1554697077430505473

https://twitter.com/wtogami/status/1554716537323302912
https://nitter.it/wtogami/status/1554716537323302912