You're right, it's creating commits but it's not just creating GHAs. It's also d... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

masfuerte 8 months ago | parent | context | favorite | on: Hackers are spoofing themselves as GitHub's Depend...

You're right, it's creating commits but it's not just creating GHAs. It's also directly altering the targetted project's javascript to steal credentials from end users using the project. (Edited with correction as below.)

deathanatos 8 months ago [–]

> it's not creating GHAs (sic)

… the OP includes a screenshot of a malicious GHA workflow that exfils secrets. (In addition to altering the targetted project's JS.)

masfuerte 8 months ago | [–]

Thanks for the correction. I only read the text.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact