Popular GitHub Action tj-actions/changed-files is compromised with a payload that appears to attempt to dump secrets (semgrep.dev)
from chaospatterns@lemmy.world to programming@programming.dev on 17 Mar 04:53
https://lemmy.world/post/26954101

#programming

threaded - newest

chaospatterns@lemmy.world on 17 Mar 04:54 next collapse

Here’s a good reason why you should pin to specific sha hashes, not just release versions.

bleistift2@sopuli.xyz on 17 Mar 20:15 collapse

PrOtEcTiNg ThE sUpPlY cHaIn Is ImPoRtAnT tO uS. tHeReFoRe We NoW fOrCe 2Fa On YoU.