upvote

points

by hiciu1 days ago |
comments
upvoteby snailmailman1 days ago|
next
[-]
The same thing occurred on the trivy repo a few days ago. A GitHub discussion about the hack was closed and 700+ spam comments were posted.

I scrolled through and clicked a few profiles. While many might be spam accounts or low-activity accounts, some appeared to be actual GitHub users with a history of contributions.

I’m curious how so many accounts got compromised. Are those past hacks, or is this credential steeling hack very widespread?

Are the trivy and litellm hacks just 2 high profile repos out of a much more widespread “infect as many devs as possible, someone might control a valuable GitHub repository” hack? I’m concerned that this is only the start of many supply chain issues.

Edit: Looking through and several of the accounts have a recent commit "Update workflow configuration" where they are placing a credential stealer into a CI workflow. The commits are all back in february.

reply
upvoteby snailmailman5 hours ago|
parent|
next
[-]
Update: It looks like the accounts have all been deleted by github, including their repos. They are 404 pages now. Their repos + recent malicious commits are all just 404 pages now.

I'm curious what the policy is there if the accounts were compromised. Can the original users "restore" their accounts somehow? For now it appears the accounts are gone. Maybe they were entirely bot accounts but a few looked like compromised "real" accounts to me.

reply
upvoteby Fibonar33 minutes ago|
parent|
[-]
Yep my coworker hnykda, first reply confirming the report, got his account deleted for a while earlier. Definitely not the best way of handling this...
reply
upvoteby consp22 hours ago|
parent|
prev|
[-]
Once is happenstance. Twice is coincidence. Three times is enemy action.
reply
upvoteby fdsjgfklsfd1 days ago|
prev|
next
[-]
Reporting spam on GitHub requires you to click a link, specify the type of ticket, write a description of the problem, solve multiple CAPTCHAs of spinning animals, and press Submit. It's absurd.
reply
upvoteby orf1 days ago|
prev|
next
[-]
i'm guessing it's accounts they have compromised with the stealer.
reply
upvoteby ebonnafoux1 days ago|
parent|
[-]
They repeat only six sentences during 100+ comments:

Worked like a charm, much appreciated.

This was the answer I was looking for.

Thanks, that helped!

Thanks for the tip!

Great explanation, thanks for sharing.

This was the answer I was looking for.

reply
upvoteby dec0dedab0de1 days ago|
parent|
[-]
Over the last ~15 years I have been shocked by the amount of spam on social networks that could have been caught with a Bayesian filter. Or in this case, a fairly simple regex.
reply
upvoteby PunchyHamster13 hours ago|
parent|
next
[-]
It's the bear trash lock problem all over again.

It could be solved by the filter but filter would also have a bunch of false positives

reply
upvoteby howlin3 hours ago|
parent|
[-]
It seems like if the content is this hollow and useless, it shouldn't matter if it was a human or spambot posting it.
reply
upvoteby Imustaskforhelp1 days ago|
parent|
prev|
[-]
Well, large companies/corporations don't care about Spam because they actually benefit from spam in a way as it boosts their engagement ratio

It just doesn't have to be spammed enough that advertisers leave the platform and I think that they sort of succeed in doing so.

Think about it, if Facebook shows you AI slop ragebait or any rage-inducing comment from multiple bots designed to farm attention/for malicious purposes in general, and you fall for it and show engagement to it on which it can show you ads, do you think it has incentive to take a stance against such form of spam

reply
upvoteby dewey23 hours ago|
parent|
next
[-]
> Well, large companies/corporations don't care about Spam because they actually benefit from spam in a way as it boosts their engagement ratio

I'm not sure that's actually true. It's just that at scale this is still a hard problem that you don't "just" fix by running a simple filter as there will be real people / paying customers getting caught up in the filter and then complain.

Having "high engagement" doesn't really help you if you are optimizing for advertising revenue, bots don't buy things so if your system is clogged up by fake traffic and engagement and ads don't reach the right target group that's just a waste.

reply
upvoteby dec0dedab0de1 days ago|
parent|
prev|
[-]
Yeah, I almost included that part in my comment, but it still sucks.
reply
upvoteby ratdoctor1 days ago|
prev|
[-]
Or they're just bots. This repository has 40k+ stars somehow.
reply