pull down to refresh
Downloading another payload from tron
Over the weekend, I noticed something malicious on some of our github repos I didn't do, was done as me... very sneaky too, it edited a legit commit by me, only tell was the suspicious timestamp causing me to look at the diff.
That's crazy!!! Do you pgp sign your commits?
No, we've been pretty low profile, and most of the repos are private... but with the open stuff like Pub and Wallet gaining traction and handling more and more funds I need to implement vigilance signatures.
Was pretty burnt already when this happened. Been a long stretch trying to tie a bunch of big (and critical) features out the door on top of bug fighting... so taking a few days to live in the meatspace a bit and will come back at it with fresh eyes.
The github outage yesterday really sent me into a spin, for a moment thought we were under attack again. Trying to avoid the temptation to self-host git and actions runners altogether.
Yeah I get that. I have many private repos where I have commit signing off. On the public ones it's mandatory, simply because ownership is a must - it's more a precaution / nonrepudiation thing.
I self-host for private, but not public repos. Wouldn't recommend self-hosting public repos either, because it mostly just means more attack surface to worry about.
Maybe I'm making assumptions...
But isn't PGP-signing commits especially Bitcoin software... like basically mandatory? Your PGP key is basically who you are on the internet.
We use SSH that verifies in the same way, PGP wouldn't have changed anything, a botched branch rule on one repo was the gap in preventing the push at all ... and vigilance mode would have flagged it more visibly
We don't distribute binaries that would need a signed hash
Follow-up: I nuked everything associated with it
As I mentioned in one of those threads I stood it up in a VM to attempt having github issues manipulated based on internal telegram conversations...
Over the weekend, I noticed something malicious on some of our github repos I didn't do, was done as me... very sneaky too, it edited a legit commit by me, only tell was the suspicious timestamp causing me to look at the diff.
Fortunately, caught it within an hour and was able to revert and nuke all tokens/roll keys, and all but one CI needed extra steps the compromised token could not do. The CI that did run was allowed by a mis-configured branch rule since fixed and could have been bad had it not been caught quickly.
I only tinkered with it for a day, never connected to moltbook or anything social, and somehow the github token got pwned.
I can only assume the whole thing or github skill is backdoored, there's no other explanation.
I found the experience rather sloptastic anyway, would have been better off just vibe-coding similar automation. The hype is totally unwarranted.