Supply chain attack alert: .github/setup.js
Our org GitHub just got compromised massively by a supply-chain attack. Vectors are
* Claude hooks
* Gemini hooks
* Cursor setup
* VScode tasks
It adds all of the above to execute node .github/setup.js, an obfuscated file.
Check infected: `rg --hidden --no-ignore 'node .github/setup.js`
It spreads by adding mimic'd skip-ci commits to open PRs which then get merged.
Payload is obfuscated, available on request.
If this is already a known one in the world, apologies, it hit us at around 10PM BST last night, the damage would have been incredible.
Still trying to identify the original source.
9 comments
[ 2.3 ms ] story [ 26.9 ms ] threadPublic repo > infect by merge > github runner picks up and gets infected > and github action (from a repo) that then runs on runner getw effected
My full analysis and IOCs: https://dev.to/icflorescu/the-bot-that-never-was-2mfp (source repo on codeberg: https://codeberg.org/icflorescu/miasma-github-incident)
This has royally fucked a lot of people.