Comment by deathanatos

3 days ago

My initial thought is that if this isn't a new compromise, Trivy must not have rotated the old credentials. They claim, however,

> We rotated secrets and tokens, but the process wasn't atomic and attackers may have been privy to refreshed tokens

… does anyone know what exactly they're talking about, here? To my knowledge, GH does not divulge new tokens after they're issued, but it depends on the exact auth type we're talking about, and GH has an absurd number of different types of tokens/keys one can use.

2 comments

deathanatos

Reply
dist-epoch  3 days ago

OpenClaw creator made some related claims, that as soon as he created a GitHub organization with a new name, somehow it was stolen from him, and he had to ask Github people to do it for him atomically.

  • tgrowazay  3 days ago

    It is a bit different. What happened to openclaw:

    He created a new org “openclaw” to reserve the name. Then he wanted to swap it with “moltbot” org.

    So he opened two browser windows, one with “moltbot” repo settings another with “openclaw” repo settings.

    Then he renamed “openclaw” to whatever, and quickly tried to rename “moltbot” to now available “openclaw”.

    But in a second when “openclaw” was available, a bot snatched the repo.