Popular GitHub Action tj-actions/changed-files is compromised with a payload that appears to attempt to dump secrets (semgrep.dev)
from chaospatterns@lemmy.world to programming@programming.dev on 17 Mar 2025 04:53
https://lemmy.world/post/26954101

#programming

threaded - newest

chaospatterns@lemmy.world on 17 Mar 2025 04:54 next collapse

Here’s a good reason why you should pin to specific sha hashes, not just release versions.

bleistift2@sopuli.xyz on 17 Mar 2025 20:15 collapse

PrOtEcTiNg ThE sUpPlY cHaIn Is ImPoRtAnT tO uS. tHeReFoRe We NoW fOrCe 2Fa On YoU.

StripedMonkey@lemmy.zip on 03 Apr 12:01 collapse

2fa isn’t a panacea and won’t solve every problem. It does help though. Why do you think supply chain integrity isn’t something they care about?