Having worked at that company - the cross-team communication is astonishingly bad (even within the same org.) And all levels of leadership are so hyper-focused on metrics that they never see past...
Having worked at that company - the cross-team communication is astonishingly bad (even within the same org.) And all levels of leadership are so hyper-focused on metrics that they never see past them.
Worth pointing out here for those who don't read into the article that these were apparently all internal repos, not user repos. This was a targeted attack against Github from a cybercrime gang....
Worth pointing out here for those who don't read into the article that these were apparently all internal repos, not user repos. This was a targeted attack against Github from a cybercrime gang. They are selling the Github source code on the dark web and say they will leak it publicly if no buyer comes forward.
What's implied is that even though your repos are safe now, a sufficiently motivated group could use the source code to find exploits that do put your repos in danger. I don't think we've heard the last of this.
My guess is somebody's going to try to roll their own Mythos to find some super-sneaky way into accessing private repos, which have always been assumed untouchable. This won't be announced anywhere and orgs will have no way of knowing if it's happened to them. If Github is paying attention to their server logs, with any luck they'll spot the suspicious behavior before too much damage is done. If the attackers move quietly they might never get spotted reading private repo data, and any subsequent attacks against those victim orgs won't be attributable to this event.
There's also the possibility of using exploits to poison public repos, if attackers get write access. I'm talking, maybe, about ways to bypass the Github UI and manipulate git repos or other internal assets directly. Thankfully git makes it pretty impossible to alter commit history in quiet ways, but other attacks could be feasible. Like if they found a way to silently replace a published release artifact with a different file. Or they could add malicious CI/CD steps into existing pipelines that would be less likely to be quickly spotted. Or maybe alter published Github Pages content directly wherever that's served from? There are lots of possible attacks that bypass source control, but without knowing Github's architecture I can only speculate about what's possible.
The joke someone said on HN describes it really well:
Having worked at that company - the cross-team communication is astonishingly bad (even within the same org.) And all levels of leadership are so hyper-focused on metrics that they never see past them.
What a funny way to find out MS owns NPM. It's a via owning GitHub, in case anyone else didn't know.
This old joke seems apropos.
Yep, it was linked in HN replies as well. Fits perfectly
Worth pointing out here for those who don't read into the article that these were apparently all internal repos, not user repos. This was a targeted attack against Github from a cybercrime gang. They are selling the Github source code on the dark web and say they will leak it publicly if no buyer comes forward.
What's implied is that even though your repos are safe now, a sufficiently motivated group could use the source code to find exploits that do put your repos in danger. I don't think we've heard the last of this.
My guess is somebody's going to try to roll their own Mythos to find some super-sneaky way into accessing private repos, which have always been assumed untouchable. This won't be announced anywhere and orgs will have no way of knowing if it's happened to them. If Github is paying attention to their server logs, with any luck they'll spot the suspicious behavior before too much damage is done. If the attackers move quietly they might never get spotted reading private repo data, and any subsequent attacks against those victim orgs won't be attributable to this event.
There's also the possibility of using exploits to poison public repos, if attackers get write access. I'm talking, maybe, about ways to bypass the Github UI and manipulate git repos or other internal assets directly. Thankfully git makes it pretty impossible to alter commit history in quiet ways, but other attacks could be feasible. Like if they found a way to silently replace a published release artifact with a different file. Or they could add malicious CI/CD steps into existing pipelines that would be less likely to be quickly spotted. Or maybe alter published Github Pages content directly wherever that's served from? There are lots of possible attacks that bypass source control, but without knowing Github's architecture I can only speculate about what's possible.