Comment by BobbyTables2
3 months ago
ELI5, how was the malicious PR approved and merged?
Are they using AI for automated code review too?
3 months ago
ELI5, how was the malicious PR approved and merged?
Are they using AI for automated code review too?
The workflows were set up to execute with a read/write `GITHUB_TOKEN` for `nx` when a PR was created/edited (no approval necessary).
See the security warnings on `pull_request_target`
https://docs.github.com/en/actions/reference/workflows-and-a...
https://securitylab.github.com/resources/github-actions-prev...
seems like the npm repo got hacked and the compromised version was just uploaded