The packages were published using a compromised key directly, not through our ci/cd. We rolled the key, and published a new clean version from our repo through our CI/CD: https://github.com/PostHog/posthog-js/actions/runs/196303581...

▲

progbits 7 hours ago | parent [-]

Why do you keep using token auth? This is unacceptable negligence these days.

NPM supports GitHub workflow OIDC and you can make that required, disabling all token access.

▲

timgl 6 hours ago | parent | next [-]

Yep, we are moving to workflow OIDC as the next step in recovery.

▲

junon 5 hours ago | parent | prev | next [-]

OIDC is not a silver bullet either and has its own set of vectors to consider too. If it works for your org model then great, but it doesn't solve every common scenario.

	▲	woodruffw 4 hours ago \| parent [-]
		Trusted Publishing addresses the vector here, which is arbitrary persistence and delayed use of credentials by attackers. You're right that it's not a silver bullet (anything claiming to be one is almost certainly a financially induced lie), but it eliminates/foreshortens the attack staging window significantly.

▲

huflungdung 5 hours ago | parent | prev [-]

[dead]