←back to thread

Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)
297 points cyberbender | 1 comments | 30 Mar 25 19:54 UTC | HN request time: 0.374s | source
Show context
nyrikki ◴[30 Mar 25 21:51 UTC] No.43528008[source]
No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?

For their fix, they disabled debug logs...but didn't answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

replies(6): >>43528290 #>>43531049 #>>43533461 #>>43538343 #>>43538350 #>>43545199 #
1. Elucalidavah ◴[31 Mar 25 04:31 UTC] No.43531049[source]
> For their fix, they disabled debug logs

For their quick fix, hopefully not for their final fix.