| ▲ | BobbyTables2 6 days ago | |
ELI5, how was the malicious PR approved and merged? Are they using AI for automated code review too? | ||
| ▲ | david_allison 5 days ago | parent | next [-] | |
The workflows were set up to execute with a read/write `GITHUB_TOKEN` for `nx` when a PR was created/edited (no approval necessary). See the security warnings on `pull_request_target` https://docs.github.com/en/actions/reference/workflows-and-a... https://securitylab.github.com/resources/github-actions-prev... | ||
| ▲ | danr4 5 days ago | parent | prev [-] | |
seems like the npm repo got hacked and the compromised version was just uploaded | ||