Paul H
@bijouxbeejuice.bsky.social
Ex-GitHub/Microsoft. All views my own. Recruiters may not DM me
“20–40% of symptomatic people can manifest influenza-like illness (fever and cough or sore throat), whereas up to half of people with symptomatic illnesses can experience acute upper-respiratory-tract symptoms without fever, and the asymptomatic proportion can range from 14% to more than 50%”
December 11, 2025 at 2:28 PM
“20–40% of symptomatic people can manifest influenza-like illness (fever and cough or sore throat), whereas up to half of people with symptomatic illnesses can experience acute upper-respiratory-tract symptoms without fever, and the asymptomatic proportion can range from 14% to more than 50%”
🔍 use GitHub Code Search to find uses of the Action: github.com/search?q=%2F...
👀 in your Dependency Insights for evidence of using the Action
👀 in your Dependency Insights for evidence of using the Action
March 18, 2025 at 9:31 PM
🔍 use GitHub Code Search to find uses of the Action: github.com/search?q=%2F...
👀 in your Dependency Insights for evidence of using the Action
👀 in your Dependency Insights for evidence of using the Action
🛡️ Try SAST such as CodeQL to look for unpinned Actions. For CodeQL you can do it with the security-extended suite and the actions/unpinned-tag query (I wrote the first version 😊): github.com/github/codeq...
Guess which Action I used as an example in the README. Yep, you guessed it... 🔮
Guess which Action I used as an example in the README. Yep, you guessed it... 🔮
March 18, 2025 at 9:31 PM
🛡️ Try SAST such as CodeQL to look for unpinned Actions. For CodeQL you can do it with the security-extended suite and the actions/unpinned-tag query (I wrote the first version 😊): github.com/github/codeq...
Guess which Action I used as an example in the README. Yep, you guessed it... 🔮
Guess which Action I used as an example in the README. Yep, you guessed it... 🔮
What to do?
🚨 Security response. Check your logs, rotate and revoke credentials, etc.
📌 Make sure you're using pinned commits to 3rd party Actions. Pinning to a tag name is not enough 🙅♂️ to avoid this.
⚠️ Read the StepSecurity advisory (they detected it): www.stepsecurity.io/blog/harden-...
🚨 Security response. Check your logs, rotate and revoke credentials, etc.
📌 Make sure you're using pinned commits to 3rd party Actions. Pinning to a tag name is not enough 🙅♂️ to avoid this.
⚠️ Read the StepSecurity advisory (they detected it): www.stepsecurity.io/blog/harden-...
Harden-Runner detection: tj-actions/changed-files action is compromised - StepSecurity
tj-actions/changed-files
www.stepsecurity.io
March 18, 2025 at 9:31 PM
What to do?
🚨 Security response. Check your logs, rotate and revoke credentials, etc.
📌 Make sure you're using pinned commits to 3rd party Actions. Pinning to a tag name is not enough 🙅♂️ to avoid this.
⚠️ Read the StepSecurity advisory (they detected it): www.stepsecurity.io/blog/harden-...
🚨 Security response. Check your logs, rotate and revoke credentials, etc.
📌 Make sure you're using pinned commits to 3rd party Actions. Pinning to a tag name is not enough 🙅♂️ to avoid this.
⚠️ Read the StepSecurity advisory (they detected it): www.stepsecurity.io/blog/harden-...
The malware has been given CVE-2025-30066, github.com/advisories/G..., with Dependabot alerts 🔔 being generated.
The repo is back under the maintainer’s control.
The repo is back under the maintainer’s control.
March 18, 2025 at 9:31 PM
The malware has been given CVE-2025-30066, github.com/advisories/G..., with Dependabot alerts 🔔 being generated.
The repo is back under the maintainer’s control.
The repo is back under the maintainer’s control.
What to do?
🚨 security response. Logs, rotate/revoke secrets, etc.
📌 Pin your commits
🔎 Search for uses with GitHub Code Search, e.g.
github.com/search?q=%2F...
👀 Look in Dependency Insights for uses of these reviewdog Actions
🚨 security response. Logs, rotate/revoke secrets, etc.
📌 Pin your commits
🔎 Search for uses with GitHub Code Search, e.g.
github.com/search?q=%2F...
👀 Look in Dependency Insights for uses of these reviewdog Actions
March 18, 2025 at 9:24 PM
What to do?
🚨 security response. Logs, rotate/revoke secrets, etc.
📌 Pin your commits
🔎 Search for uses with GitHub Code Search, e.g.
github.com/search?q=%2F...
👀 Look in Dependency Insights for uses of these reviewdog Actions
🚨 security response. Logs, rotate/revoke secrets, etc.
📌 Pin your commits
🔎 Search for uses with GitHub Code Search, e.g.
github.com/search?q=%2F...
👀 Look in Dependency Insights for uses of these reviewdog Actions
It was discovered by Adnan Khan and posted on X
Malicious commit: github.com/reviewdog/ac...
Hash: f0d342d24037bb11d26b9bd8496e0808ba32e9ec
Malicious commit: github.com/reviewdog/ac...
Hash: f0d342d24037bb11d26b9bd8496e0808ba32e9ec
March 18, 2025 at 9:24 PM
It was discovered by Adnan Khan and posted on X
Malicious commit: github.com/reviewdog/ac...
Hash: f0d342d24037bb11d26b9bd8496e0808ba32e9ec
Malicious commit: github.com/reviewdog/ac...
Hash: f0d342d24037bb11d26b9bd8496e0808ba32e9ec