> It's not really a supply chain when it's still yours.
replyI don't personally buy that, they offer a package manager in the form of nuget for example, if their products there are compromised, they're well withing normal reach to block THEIR packages, but why would they need to block the rest ?
Maybe I'm missing something dumb
* GitHub [which they own] failed to detect the account was compromised
reply* GitHub [which they own] allowed the contribution to ignore CI
* GitHub [which they own] failed to detect suspicious content on check-in
* GitHub [which they own] isn't sufficiently integrated into Microsoft security that the compromised token wasn't rolled.
[dead]
reply