|
|
|
|
|
|
by detente18
80 days ago
|
|
|
Update: - Impacted versions (v1.82.7, v1.82.8) have been deleted from PyPI
- All maintainer accounts have been changed
- All keys for github, docker, circle ci, pip have been deleted We are still scanning our project to see if there's any more gaps. If you're a security expert and want to help, email me - krrish@berri.ai |
|
|
- We will be holding a townhall on Friday to review the incident and share next steps (https://lnkd.in/gsbTdCe7)
- We can confirm a bad version of Trivy security scanner ran in our CI/CD pipeline, which would have led to the supply chain attack
- We have paused new releases until we've completed securing our codebase and release pipeline to ensure safe releases for users
- We've added additional github/gitlab ci scripts for checking if you're impacted: https://lnkd.in/gGicMkby
We hope to share a full RCA in the coming days. Until then, if there's anything we can do to help your team - please let me know. You can email me (krrish@berri.ai), or join the discussion on github (https://lnkd.in/g9TuuQ2H).