Hacker News new | ask | show | jobs
by zahlman 455 days ago
> In this specific case, the bad actor changes all of the version tags to point to their malicious commit: https://github.com/tj-actions/changed-files/tags

This required compromising the entire repository, yes? It can't be explained as the maintainer being tricked into merging something malicious?
2 comments
werrett 455 days ago
Yes. It was probably a maintainer's creds being compromised.

The [malicious commit is masquerading as a commit from Renovate](https://github.com/tj-actions/changed-files/commit/0e58ed867...)((https://github.com/apps/renovate) but it's not a `verified` commit (and so it's trivial for a bad actor to masquerade as them).

https://stackoverflow.com/questions/67609381/why-do-all-my-g...

link
ImPostingOnHN 455 days ago
The repo looks like it uses itself in its workflows, so it's possible that the commit being merged resulted in the necessary credentials being leaked to the attacker.
link
rognjen 455 days ago
There doesn't seem to be a PR for the commit though.
link