Rendered at 01:34:52 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
vldszn 38 minutes ago [-]
GitHub: "We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity."
You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it will be executed lmfao.
CGamesPlay 32 minutes ago [-]
Can you cite this? It's not YAML execution syntax, surely Github doesn't do it, the only vector I can see is if you put it unquoted into a shell script inside of a GHA yaml.
Are they required to announce that they're being hacked in real time?
tonetegeatinst 21 minutes ago [-]
Microsoft owned so many a CYA to explain why the liability insurance goes up to investors?
syngrog66 47 minutes ago [-]
between all the Linux LPEs and Claude's known security flaws, alone, I'd be shocked if Github and Microsoft hadnt gotten hacked by now. reasonable bet we mainly hear it when big shops get bit
uzyn 28 minutes ago [-]
[dead]
mstank 1 hours ago [-]
Is it just me or is this happening way more frequently in the last 4 or 5 months? Coincidently around the same time the models got a lot more capable?
tom_ 30 minutes ago [-]
It's more likely that it isn't coincidental at all: software development-oriented LLMs became a lot better towards the end of 2025, and so there's a non-zero chance that people are using them to find new security exploits.
(People are not sleeping on this and it is not something people have failed to notice. I don't use LLMs at all and even I have noticed it - largely because there is approximately nobody that isn't talking about it.)
bob1029 1 hours ago [-]
I think it's more about the popularity than the capability. The chances you might accidentally put a Github access token into an undesired security context goes up dramatically when you actually create and use one on a regular basis. The developers at GH are certainly using these tools just like the rest of us.
darig 14 minutes ago [-]
[dead]
kiernanmcgowan 56 minutes ago [-]
Mythos has broken containment
jonnyasmar 1 hours ago [-]
Source code exfil is embarrassing. CI signing keys or release publish creds going out the door is supply-chain. That's a long tail nobody gets to close by filing a ticket.
- Use Static analysis for GHA to catch security issues: https://github.com/zizmorcore/zizmor
- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...
- add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act...
(People are not sleeping on this and it is not something people have failed to notice. I don't use LLMs at all and even I have noticed it - largely because there is approximately nobody that isn't talking about it.)