adnanthekhan
No user record in our sample, but adnanthekhan has activity below (stories or comments). Likely we have partial data — the full bulk-load will fill profiles in.
No user record in our sample, but adnanthekhan has activity below (stories or comments). Likely we have partial data — the full bulk-load will fill profiles in.
This is more subtle, but there is an “author_association”field within Actions event contexts that can be one of: NONE, CONTRIBUTOR, COLLABORATOR, MEMBER, OWNER There are some cases where people use checks for that as…
Yeah, the security posture of that repository is kind of a mess (which is why something like https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-... was even possible in the first place). The balance there is…
Correct. For fork PR workflows on the pull_request trigger the GITHUB_TOKEN has read only permissions, so you can’t do anything with it. The key thing with a non-ephemeral runner is that (after obtaining persistence)…
Oh, you'll like this one then. Until 3 months ago GitHub's Runner images was pulling a package directly from Aliyun's CDN. This was executed during image testing (version check). So anyone with the ability to modify…
Yup! This is what makes this kind of attack scary and very unique to GitHub Actions. The baseline GITHUB_TOKEN just blows the door open on lateral movement via workflow_dispatch and and repository_dispatch events. In…