Skip to content

Reporting suspicious activity - revoking all permissions to prevent potential malicious attacks through Github or crates.io #1257

Closed
@bvssvni

Description

@bvssvni

Attention @PistonDevelopers/pistoncollaborator @PistonDevelopers/admins @PistonDevelopers/owners

17 hours ago, a Github account, who has never contributed to commits or issues, added public deploy key 05:99:67:68:24:55:9f:98:c8:25:44:ec:76:10:ee:aa to all repositories under the PistonDevelopers organization. These keys were removed immediately upon discovery. The user's membership was removed from the organization.

As by default, all members have now their permissions revoked. The Piston project will shut down temporarily until our security policies have been reviewed.

I ran through a todo-list produced by Eco, removed all owners on crates.io except myself. Will check the repositories manually to see if there are remaining crates that might be targeted through crates.io.

There has been no detected attacks so far, but I'll keep looking.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions