Comment by zuzululu
13 hours ago
I had this happen to me recently
github token got stolen and also cloudflare tokens
guys even if you take security seriously you are going to get hit on a long enough time frame
best thing to do is segregate and control damage
trust no one, nothing, use orbstack, and always operate under the assumption that your token is going to get leaked at some point
it knocked off my entire momentum. fortunately seemed like it was just a spam bot that took my tokens and created bunch of fake spam pages and trying to mine crypto
the biggest feeling is the one of feeling violated
take care fellow travelers
> best thing to do is segregate and control damage
I first encountered that concept with a client that put every webapp in it's own virtual server and expected the vm to get compromised at some point. Seemed like a very sensible idea 15 years ago.
my point was to limit access to tokens, segregate with different accounts for different apps, different computers or ISP if need be.
wall it off and dont trust VMs either. if you have something of value they can escape it.
Pages like GitHub pages? We’re repos being created in your account? Curious how you discovered that your tokens were pwned
repos created, cloudflare eployed thee websites, edited dns
saw a weird spam site, so damn tired went to bed thinking it was some mislick on my side
woke up next morning and loaded up my domain, it redirected and panic set in
my SEO is probably nuked even though it has been under 24 hours
Secret ad to orbstack.
first time I mentioned it on here and no it won't be enough but better than running npms from wild naked
just pointing out what I use currently if you know something better/competitor please feel free to advertise them
Maybe...Docker? Orbstack is basically a wrapper over docker, and he advertises the program as something uniquely fast, which is just a docker behind the scens.