At least my naive brain wonders if blocking force pushes to main would have stop... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		corvad 15 days ago \| parent \| context \| favorite \| on: Postmortem: TanStack NPM supply-chain compromise At least my naive brain wonders if blocking force pushes to main would have stopped this as it is a setting in Github these days, unless I am misunderstanding the final attack vector since it seems it was force pushed.

ssanderson11235 14 days ago [–]

Noone force-pushed to main in the actual repo. The attacker force-pushed to main in their own fork, but the actual repo had a CI job configured that ran code from the fork in response to changes in that fork.

corvad 14 days ago | [–]

Ah that makes more sense I was kind of confused by that.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact