No you literally can (and the attackers did) change version 44 (the tag for it) ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		BlackFingolfin 9 months ago \| parent \| context \| favorite \| on: Tj-actions/changed-files GitHub Action Compromised... No you literally can (and the attackers did) change version 44 (the tag for it) to point to a different compromised commmit

anonymars 9 months ago [–]

Yes, you're right. I wasn't able to double-check as the repo was deleted at the time. That said, AIUI making the tags read-only would still often be vulnerable to semantic-version exploitation.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact