[domh]

Yeah I see lots of the same. They seem to correspond with Heroku deploys? Anyone know if that happens when a valid heroku deploy occurs? Do they download a zip?

I've reached out to Heroku support to ask.

[heartbreak]

Normal Heroku usage doesn’t download a zip because it uses git directly, but I’ve seen plenty of CI tools download zips.

[all-the-lights]

Including Heroku CI? We don't use an external CI tool (or really any other integrations except GH), but I do see these download logs.

[heartbreak]

For what it's worth, elsewhere in this comment section someone posted that Github Support says the zip downloads weren't related to this incident. Reading between the lines, the compromised repos were probably accessed using normal git clone actions.

[all-the-lights]

That was me who posted that :) seems unrelated, but still hoping to get that figured out anyway.

[domh]

I thought as much. Maybe it is CircleCI then.

[andrelaszlo]

Please let us know if you get any info from them! :)