今日已更新 281 条资讯 | 累计 21147 条内容
关于我们

@redhat-cloud-services publish pipeline is compromised today and shipped a signed, trusted, malicious npm package

/u/BattleRemote3157 2026年06月01日 22:00 3 次阅读 来源:Reddit r/programming

patch-client@4.0.4 went out through the project's own github action OIDC trusted publisher today and not any stolen token or a typosquat anything, we saw that the actual release pipeline produced it. this runs on npm install, steals cloud creds and self propagates by injecting fake CodeQL workflows into repository the stolen tokens can reach. 32 packages is currently sharing the same publisher so the window of exposure isn not only just a single package. if you have anything from related to / redhat-cloud-services in your tree, 4.0.3 is the last clean version. submitted by /u/BattleRemote3157 [link] [留言]

本文内容来源于互联网,版权归原作者所有
查看原文