←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 1 comments | 27 Aug 25 01:38 UTC | HN request time: 0s | source
Show context
BobbyTables2 ◴[27 Aug 25 13:57 UTC] No.45039788[source]
ELI5, how was the malicious PR approved and merged?

Are they using AI for automated code review too?

replies(2): >>45039871 #>>45046546 #
1. david_allison ◴[27 Aug 25 23:28 UTC] No.45046546[source]
The workflows were set up to execute with a read/write `GITHUB_TOKEN` for `nx` when a PR was created/edited (no approval necessary).

See the security warnings on `pull_request_target`

https://docs.github.com/en/actions/reference/workflows-and-a...

https://securitylab.github.com/resources/github-actions-prev...