Supply chain attack alert: .github/setup.js

27 points by antihero ↗ HN
Our org GitHub just got compromised massively by a supply-chain attack. Vectors are

* Claude hooks

* Gemini hooks

* Cursor setup

* VScode tasks

It adds all of the above to execute node .github/setup.js, an obfuscated file.

Check infected: `rg --hidden --no-ignore 'node .github/setup.js`

It spreads by adding mimic'd skip-ci commits to open PRs which then get merged.

Payload is obfuscated, available on request.

If this is already a known one in the world, apologies, it hit us at around 10PM BST last night, the damage would have been incredible.

Still trying to identify the original source.

9 comments

[ 2.3 ms ] story [ 26.9 ms ] thread
Did you dig anything on where it came from for you? Some NPM package?
Attack is called "Hades - The End for the Damned", it exfiltrates secrets including ALL ORG GITHUB ACTIONS SECRETS via creating compromised actions, through GitHub public repos with encrypted payloads.
For me i feel the attack vector is

Public repo > infect by merge > github runner picks up and gets infected > and github action (from a repo) that then runs on runner getw effected