Description
Attention @PistonDevelopers/pistoncollaborator @PistonDevelopers/admins @PistonDevelopers/owners
17 hours ago, a Github account, who has never contributed to commits or issues, added public deploy key 05:99:67:68:24:55:9f:98:c8:25:44:ec:76:10:ee:aa
to all repositories under the PistonDevelopers organization. These keys were removed immediately upon discovery. The user's membership was removed from the organization.
As by default, all members have now their permissions revoked. The Piston project will shut down temporarily until our security policies have been reviewed.
I ran through a todo-list produced by Eco, removed all owners on crates.io except myself. Will check the repositories manually to see if there are remaining crates that might be targeted through crates.io.
There has been no detected attacks so far, but I'll keep looking.