Developer loses client after GitHub token stolen in supply-chain attack
A developer's GitHub personal access token was stolen, most likely through a supply-chain compromise involving a dependency, editor extension, or Docker image in their local environment. The attacker used the token to push malicious commits to several private repositories, including one belonging to a client. The client terminated the engagement after discovering commits signed under the developer's identity had been compromised. The developer acknowledged the client's decision was reasonable, noting that a stolen token allows attackers to silently push commits, tag releases, and approve deployments while impersonating the victim. Despite working at a cloud-security company and being familiar with similar incidents like the xz-utils backdoor and eslint-scope takeover, the developer admitted their own precautions proved insufficient.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in