Hacker News new | past | comments | ask | show | jobs | submit login

As the repo is was taken down is someone able to tell me when was the malicious commit pushed. Trying to get a timeline to see if any workflows using this action were trigger in that timeframe. Thank you



Your secrets will be published to the CI log if you were affected.

I believe it's everything since around 10pm ET last night. I would consider any runs in the past 24 hours to be suspect.


Thank you, unfortunately we have a multiple of repositories with multiple runs that use this action so checking the logs one by one will be hard. Any idea how to get all logs? Thank you


I think your best bet is to traverse all the pipeline logs that make use of the action using Github's REST API.

It should be easy to do with thr Github CLI tool and some bash scripting.

Not sure how easy it'll be to parse the logs to look for a base64 string but it shouldn't be that complicated either.


also the secrets will be published as double base 64 encoded, so it will just look like a string of random chars at the end of the changed-files action in the log.


If you are using the action and were as of 10p ET last night I would assume everything is compromised, remove the action, and rotate secrets.


Somewhere after 18:00 CET Friday.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: