mastodon - Link to source

Shai Hulud may have been a bad surprise, but what is not a surprise is that it started with a #github vulnerability (in the Actions product)

Their approach to #infosec in general (especially for their JS and container registry products) is horrendous.

Need to access a public JS package published on github? you need issue a personal access token.

Need to pull docker images from there? Fine grained (per repo) tokens not supported - you need to use a classic token with too many permissions.

Authenticating to the Container registry GitHub Packages only supports authentication using a personal access token (classic). For more information, see Managing your personal access tokens.
#infosec #github