CamAug 9, 2024
Ok, I just had a random malicious commit added to a #github repo, without a branch or tag.
Has anyone seen this before?
Is there a way of dealing with it?
Show threadjim 🐈‍⬛Aug 9, 2024

@distantcam
Do you mean somebody spoofed your identity in a malicious commit? If so, not much other than turning on verification and others enabling vigilant mode.

If someone magically added a commit to a repo you own without a PR that sounds more like account takeover to me in which case rotate creds and tokens asap, use mfa if not already etc.

Either way if you have deets send them through to GitHub’s security team, it could be part of an active campaign. The former scenario is quite a common thing these days.

Show threadCam
@jiim it was the second one. I’ll go check my keys thanks!
Aug 9, 2024 at 8:21amWeb
Show threadjim 🐈‍⬛Aug 9, 2024
@distantcam ah dang, so there are a tonne of infostealers lurking in dependencies and is a rising malware threat at the moment, it’s quite possible you picked it up in a library dependency and that’s how they got your login details.
Might be worth reviewing new stuff you’ve loaded into your code recently too lest it happen again.