Ghrc.io appears to be malicious

(bmitch.net)

407 points todsacerdoti | 2 comments | 24 Aug 25 23:27 UTC | HN request time: 0.655s | source

Show context

nicce ◴[24 Aug 25 23:59 UTC] No.45008930[source]▶

GitHub Container registry does not even support fine-grained tokens, instead it uses classic ones [1], which makes this even more dangerous.

[1] https://docs.github.com/en/packages/working-with-a-github-pa...

Edit: most relevant issues?

https://github.com/orgs/community/discussions/38467

https://github.com/github/roadmap/issues/558

replies(2): >>45008951 #>>45009250 #

1. thaeli ◴[25 Aug 25 01:06 UTC] No.45009250[source]▶

>>45008930 #

Are there any additional mitigations folks are using for this? This issue is the only reason we can’t turn classic PATs off entirely.

Short lifetime mandatory reauth to enterprise SSO seems to be the best available, but it’s inconvenient for the single Classic PAT we actually need.

replies(1): >>45012489 #

2. lloeki ◴[25 Aug 25 10:55 UTC] No.45012489[source]▶

>>45009250 (TP) #

Maybe:

- create a GitHub App or something that can generate transient tokens

- implement some CLI that generates a token

- login with that token

- push

See e.g: https://medium.com/@tiwari09abhi/github-app-token-authorizat... https://martin.baillie.id/wrote/ephemeral-github-tokens-via-...

But I'm not even sure because GH auth system is all over the place and downright nuts in some places...

e.g a fine grained token with repo access can't curl a tarball with the usual URL, it has to use the /api which makes tooling that constructs URLs from repo names and versions break with no recourse as soon as you disable classic PATs

↑