Adam Stasiniewicz 
Dan GoodinOpen-source software used by more than 23,000 organizations, some of them in large enterprises, was compromised with credential-stealing code after attackers gained unauthorized access to a maintainer account, in the latest open-source supply-chain attack to roil the Internet.
The plot in this tj-actions supply-chain attack thickens. Another widely used Github Actions, reviewdog/action-setup, was also tampered with, using similar but not identical methodology. From @wiz
GunChleoc@dangoodin GitHub made the learning curve for Actions so high that everybody uses the libraries.
I find it so much easier to write my own job code in GitLab. Of course, similar attacks could come via DockerHub there.
mutax@dangoodin as if running a container for each step in your CI would be a bad idea.
shana@dangoodin Users aren't "failing to follow best practices"; GitHub's own examples and guidance for using Actions tells users to use a tag, not a commit hash. Using a hash is definitely safer and I wouldn't be surprised if GitHub quietly changed their guidance, but it's certainly not a best practice that has been widely given to users.
Ian Molton πΊπ¦π΅πΈπ³οΈβππ³οΈββ§οΈ@dangoodin maybe if megacorps stop being parasitic leeches and bother to contribute real money and dev time to projects and their staff, these problems wouldn't be so bad...