|
|
|
|
|
|
by antihero
6 days ago
|
|
|
Nope, the public repos are what the on-machine payload creates. Sorry, I worded that wrong, I meant it exfiltrates to. The main attack is using compromised repo keys to: * Create malicious actions to JSON dump and exfiltrate all GitHub org secrets. * Commit the payload delivering hooks/scripts to any repo/PR it has access to. * Mimics previous commits/timestamps, however you can see the key that did it by seeing the push in activity/audit logs. |
|
|