Hacker News new | ask | show | jobs
by ebfe1 456 days ago
It seems i forgot to cater for the quota applied to free "play" user in ClickHouse in my previous query... In fact, the threat actor did a lot more... this should give a better list of actions that was performed - Clearly showed he was testing his payload:

https://play.clickhouse.com/play?user=play#c2VsZWN0ICogZnJvb...
1 comments
DavyJone 455 days ago
Nice find. Its a bit strange that the PRs listed there, are not present at all in the coinbase repo. Seems like the attack was directed there, but I also did not hear anything from Coinbase on this.

eg. Target their NPM and PYPI tokens, so they can push compromised packages.

link
ebfe1 454 days ago
I wonder if they forked it to "experiment" with the workflow coinbase has and doesn't actually make any pull request toward them, perhaps to validate their hypothesis/attack. with that said, coinbase pulled the workflow that used tj-actions/changed-files immediately around this time so hopefully no harm was done https://github.com/coinbase/agentkit/pull/570/files
link