Post
There is an on-going malware attack targeting users of GitHub Desktop by buying ads on search engines that link to a committed Readme files on the GitHub Desktop repo with links to malicious versions of the app. This attack is on-going. I just found another attempt from a few days ago.
I found an Ad of the same kind on Duck Duck Go, so it's not just Google.
The details of the attack are described in detail in this article.
I was curious about how you can make a commit appear as belonging to a repo without having write access to that repo.
It's quite simple. I don't know if there is more than one way, but I tested with a legitimate commit from a contributor to one of my own repos by taking the hash from a commit in a PR, which anyone can make, and assembling the URL github.com//<...;
GitHub issues the same tiny yellow warning as in the above attack, but it's easily missed.
A space for Bonfire maintainers and contributors to communicate
