Techly NewsGet the app

Get the latest tech news

Tinycolor supply chain attack post-mortem


Lessons learned from becoming the unexpected face of a npm supply-chain attack.

A malicious GitHub Actions workflow was pushed to a shared repo and exfiltrated a npm token with broad publish rights. If I could wave a magic wand and design my ideal setup, npm would allow me to require Trusted Publishing (OIDC) with a single toggle for all of my packages. GitHub Environments — or equivalent workflow protections — should be available without a Pro subscription, or else integrated directly into Trusted Publishing so that security doesn’t depend on the pricing tier.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Mortem

Mortem

« Super-sized space freighter delayed on way to ISS, leaving snacks in jeopardy
After child’s trauma, chatbot maker allegedly forced mom to arbitration for $100 payout »