@dangoodin How much longer would they have got away with it if they'd forked few enough repos, at a low enough rate, to go unnoticed? It makes me wonder if this is mostly about attacking or discrediting GitHub.

It's going to make it harder for regular devs to start their own project @dangoodin

The only things stopping the bad guys with malwares are the good guys with malwares.

@dangoodin
Putting the vast majority of git repos on one platform was a terrible idea

@dangoodin Gee, imagine how much this must be poisoning their attempt to mine Github for AI driven code.

@dangoodin Somehow, I can't seem to bring myself to care that a Microsoft property is being attacked. That company can burn in hell for all I care.

@dangoodin I mostly host my stuff on my own self-hosted closed GitLab but this news hurts

Such people are the reason we can’t have nice things

@dangoodin WHICH RESEARCHERS?!

@dangoodin welp.. first EV ( private owner in Cuba got one..

and South Korea ? is best buddies compared to NK w. Cuba.. and Cuba - Russia - cocaine toxic Venezuela and and

@dangoodin
GitHub: *makes AI tools*
GitHub: *has to defend against automated attacks likely co-written by AI*
GitHub: *surprised pikachu face*

@dangoodin Well, it's been around 10 or 15 years right?

Sounds about time for a #platfall and it's already plenty #enshitified

@dangoodin

Me watching Microsoft choke on their acquisition and A.I. technology like this scene from Fifth Element

https://youtu.be/krcNIWPkNzA?si=wE3u2nqpVBQunHU9

@dangoodin Why do I get a feeling a YouTuber Kevin Fang is going to make a video of this catastrophe?

@dangoodin lol, how long until copilot starts giving people malware?

@dangoodin may they train their LLMs on that shite

@dangoodin was copilot involved?

@dangoodin
centralization -> efficiency -> leverage -> exploitation -> decentralization -> robustness -> overhead ->

@dangoodin

CC'ing @Codeberg and @forgejo as well for awareness.

In the HN discussion about this issue #Codeberg is mentioned as probably too small for malicious actors to implement their scripts for, but it only needs one fellow having some extra time and expand their campaign.

https://news.ycombinator.com/item?id=39545676

@dangoodin forcing co-pilot to learn some new tricks on doing malware instead of some boilerplate code like linked list?

@dangoodin Well that’s not good 😳

#github

@dangoodin I manually reported one of these, named Adobe Sign. Took GitHub nearly a week to take it down. 1 week times thousands of repos = one heck of a big problem!

@dangoodin reminds me why keeping things small and separate was an unintentionally good idea

@dangoodin@infosec.exchange I sincerely hope this also be a wake up call for better moderation tools in selfhosted code forge solutions ​:anenw20:​

@dangoodin I wonder how they get around 2FA on such a large scale?

@dangoodin wow. Good thing it's all open source???! Lol.

@dangoodin I' sort of wonder if a reason for someone to put malware on github is to steal developers' GPG keys, which would allow one to compromise a lot more than a single library or application.

Folks need to take this more seriously. Make sure you’re checking the source of your dependencies. Check for signed commits. Inspect the source code. Open source is provided as it is. It’s your job as the “consumer” to validate and weigh the risks.