(www.praetorian.com)

297 points cyberbender | 1 comments | 30 Mar 25 19:54 UTC | HN request time: 2.782s | source

Show context

nyrikki ◴[30 Mar 25 21:51 UTC] No.43528008[source]▶

No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?

For their fix, they disabled debug logs...but didn't answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

replies(6): >>43528290 #>>43531049 #>>43533461 #>>43538343 #>>43538350 #>>43545199 #

1. stogot ◴[01 Apr 25 10:45 UTC] No.43545199[source]▶

>>43528008 #

The 2023 Microsoft hack (that CISA completely called them out for poor security) also was similar to this. Their blog post that tried to explain what happened left so many unanswered questions

↑

Public secrets exposure leads to supply chain attack on GitHub CodeQL