10 sats \ 1 reply \ @cryptocoin OP 3 Aug 2022 \ parent \ on: 🧵 Widespread malware attack on GitHub bitcoin
If you use npm, go get or other automatic dependency grabbing systems you better be pinning deps to particular hashes.
Do not blindly trust deps by name.
Do not allow deps to automatically upgrade to a newer version.
Hard part: Your deps might be blindly trusting their deps.
https://twitter.com/stephenlacy/status/1554697077430505473
https://twitter.com/wtogami/status/1554716537323302912 https://nitter.it/wtogami/status/1554716537323302912
write
preview
0 sats \ 0 replies \ @cryptocoin OP 4 Aug 2022
UPDATE
GitHub is investigating the Tweet published Wed, Aug. 3, 2022:
  • No repositories were compromised
  • Malicious code was posted to cloned repositories, not the repositories themselves
  • The clones were quarantined and there was no evident compromise of GitHub or maintainer accounts
https://twitter.com/GitHubSecurity/status/1554843443200806913 https://nitter.it/GitHubSecurity/status/1554843443200806913
reply