| ▲ | brabel 7 hours ago |
| If anything people should use an older version of the packages. Your newest versions had just been compromised, why should anyone believe this time and next time it will be different?! |
|
| ▲ | timgl 7 hours ago | parent [-] |
| The packages were published using a compromised key directly, not through our ci/cd. We rolled the key, and published a new clean version from our repo through our CI/CD: https://github.com/PostHog/posthog-js/actions/runs/196303581... |
| |
| ▲ | progbits 6 hours ago | parent [-] | | Why do you keep using token auth? This is unacceptable negligence these days. NPM supports GitHub workflow OIDC and you can make that required, disabling all token access. | | |
| ▲ | timgl 6 hours ago | parent | next [-] | | Yep, we are moving to workflow OIDC as the next step in recovery. | |
| ▲ | junon 5 hours ago | parent | prev | next [-] | | OIDC is not a silver bullet either and has its own set of vectors to consider too. If it works for your org model then great, but it doesn't solve every common scenario. | | |
| ▲ | woodruffw 4 hours ago | parent [-] | | Trusted Publishing addresses the vector here, which is arbitrary persistence and delayed use of credentials by attackers. You're right that it's not a silver bullet (anything claiming to be one is almost certainly a financially induced lie), but it eliminates/foreshortens the attack staging window significantly. |
| |
| ▲ | huflungdung 5 hours ago | parent | prev [-] | | [dead] |
|
|
