Y
Hacker News
new
|
ask
|
show
|
jobs
by
romanows
558 days ago
So the Python package `ultralytics` had their GitHub CI/CD pipeline compromised which allowed an attack to be inserted and then published on PyPI?
1 comments
thangngoc89
558 days ago
Attacker sent a PR to the ultralytics repository that triggered Github CI. This results in 1) attacker trigger new version publication on the CI itself 2) attacker was able to obtain secrets token for publish to PyPi
link