[pytest-dev] github compromised account on organisation
flub at devork.be
Thu Dec 8 08:17:52 EST 2022
Github recently sent an email warning of a member of the pytest-dev org
(I'm purposefully not adding identifiable information here) likely
having a compromised API token that may have been abused. The member in
question only has read access to all but one plugin repository so the
impact is limited.
Nevertheless we should probably contact them to ask for them to make
sure they revoke all API tokens, replace them with more limited-scopes
ones if possible and audit the plugin. If they can't do this or don't
respond I guess we should (temporarily) restrict their access to the
plugin as well.
I'm happy to contact them, but also didn't do so yet just in case
multiple folks jump on this. Probably one is enough.
More information about the pytest-dev