TaggartMar 1

I’m concerned stuff like this will lead to a “dark forest” scenario, in which the risks of open source outweigh the benefits. Not today, but it's not impossible tomorrow.

https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far - StepSecurity

A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. This post breaks down each attack, shows the evidence, and explains what you can do to protect your workflows.

Show threadDarby M. Dixon III
@mttaggart the end goal is the end of open source because who needs it when you can vibe code whatever you need though by paying a specific vibe vendor, right?
Mar 1 at 6:22pmWeb