←back to thread

Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)
297 points cyberbender | 1 comments | 3/30/2025, 7:54:00 PM | HN request time: 0.406s | source
Show context
nyrikki ◴[3/30/2025, 9:51:00 PM] No.43528008[source]

No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?

For their fix, they disabled debug logs...but didn't answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

replies(6): >>43528290 #>>43531049 #>>43533461 #>>43538343 #>>43538350 #>>43545199 #
1. arccy ◴[3/31/2025, 10:53:00 AM] No.43533461[source]

just goes to show how lax microsoft is about their security. nobody should trust them.