17 comments

[ 1.9 ms ] story [ 37.9 ms ] thread
I didn’t know what Posthog was before this event but the website is so unusable on Safari on MacOS or iOS for me i’m surprised I stuck through to discover the product.
So it wasn't phishing attack? Wonder how those bot access tokens got stolen.
Posthog's website design feels like a joke that went a bit too far
This is a great writeup, kudos for the PostHog folks.

Curious: would you be able to make your original exploitable workflow available for analysis? You note that a static analysis tool flagged it as potentially exploitable, but that the finding was suppressed under the belief that it was a false positive. I'm curious if there are additional indicators the tool could have detected that would have reduced the likelihood of premature suppression here.

(I tried to search for it, but couldn't immediately find it. I might be looking in the wrong repository, though.)

Wow, I hate this website to be honest. So much of the space is taken up by all these "bars" on my already small screen.
Long story short: they messed up the assign-reviewers.yml workflow, allowing external contributors to merge PRs without proper reviews. From this point on, you're fully open to all kinds of bad stuff.
(comment deleted)
(comment deleted)
Imagine my surprise that the company that posts "Collaboration sucks" and endorses a YOLO approach to decision making then has a security breach based on misconceptions of a GitHub action that was caught by security tools and could have been proven out via collaboration or a metered approach to decision making.
So I saw the headline and for a moment I was very confused: aren’t sand worms fictional?

Pre-coffee, apparently.

Does anyone have experience putting their production branches in a separate repo from their development branches?

GitHub makes it very easy to make a pull request from one repo into another.

This would seem to have a lot of benefits: you can have different branch protection rules in the different repos, different secrets.

Would it be a pain in the ass?

For an open source project you could have an open contribution model, but then only allow core maintainers to have write access in the production repo to trigger a release. Or maybe even make it completely private.

(comment deleted)
The slight side scrolling on mobile, and overriding the link alt-click behavior… why
Dear everyone.

Never use pull_request_target.

This is not the first time it’s bitten people. It’s not safe, and honestly GitHub should have better controls around it or remove and rework it — it is a giant footgun.

> One of our engineers figured out this was because it triggered on: pull_request which means external contributions (which come from forks, rather than branches in the repo like internal contributions) would not have the workflow automatically run. The fix for this was changing the trigger to be on: pull_request_target, which runs the workflow as it's defined in the PR target repo/branch, and is therefore considered safe to auto-run.

I was expecting this to be some sort of bizarre Dune satire.
TIL: yarn/pnpm has a minimumReleaseAge setting.

"We also suggest you make use of the minimumReleaseAge setting present both in yarn and pnpm. By setting this to a high enough value (like 3 days), you can make sure you won't be hit by these vulnerabilities before researchers, package managers, and library maintainers have the chance to wipe the malicious packages."

So, did GitHub's "plan for a more secure npm supply chain" failed?