Comment by antihero
3 days ago
Nope, the public repos are what the on-machine payload creates. Sorry, I worded that wrong, I meant it exfiltrates to.
The main attack is using compromised repo keys to:
* Create malicious actions to JSON dump and exfiltrate all GitHub org secrets.
* Commit the payload delivering hooks/scripts to any repo/PR it has access to.
* Mimics previous commits/timestamps, however you can see the key that did it by seeing the push in activity/audit logs.
No comments yet
Contribute on Hacker News ↗