The repository is back online, with this explanation from the developer:
> This attack appears to have been conducted from a PAT token linked to @tj-actions-bot account to which "GitHub is not able to determine how this PAT was compromised."
> Account Security Enhancements
> * The password for the tj-actions-bot account has been updated.
> * Authentication has been upgraded to use a passkey for enhanced security.
> * The tj-actions-bot account role has been updated to ensure it has only the minimum necessary permissions.
> * GitHub proactively revoked the compromised Personal Access Token (PAT) and flagged the organization to prevent further exploitation.
Editing to add: the developer has locked further discussion about this. Very concerning as I believe their explanations are raising more questions than they are answering.
First of all, clearly Github can't answer for the developer how their bot's token was compromised, that's something the developer needs to find out. Instead they are repeating this statement like it's out of their hands.
But more concerningly, I don't believe the explanation is supported by the Github history which says the compromised commit was "authored" by Renovate and "pushed" by @jackton1. It's obvious how the first part was spoofed, but the second part is concerning as it indicates the @jackton1 account was compromised not @tj-actions-bot. If I'm missing something please let me know.
Check the timestamp on that commit push. It was from today, an hour or two before the repo was restored, not yesterday when the attack happened. The push actor != the committor or even the actual commit author, and there can be multiple push actors if the commit is pushed multiple times by different actors.
He probably just re-pushed the bad commit while trying to figure out how to fix this.
I find it very plausible that the bot token was compromised, not his user account token, as the attack was simply to push over the tags (which is something the automation bot would have access to do, as tag management is one of its functions)
1. tj-actions-bot PAT spoofs renovatebot commit with malicious code - probably by creating a new unprotected branch, pushing to it spoofing the renovatebot user, then deleting the branch, but we really don't know.
2. Attacker uses PAT to also update release tags, pointing them to the malicious commit, again spoofing renovatebot
3. jackton1 tries to restore older branch, and therefore pushes the commit again. The original commit wouldn't be referenced as pushed in any pull requests
For #3: You don’t have to actually have a commit in a pull request for it to show up in the PR “conversation”. Simply putting the PR # in the commit message like #2460 would result in it showing up like that (“commit referenced this pull request”). The original malicious commit copied a real PR merge commit with #2460, so anyone who pushed it in this repo to any branch would have their push referenced in the PR conversation list. It’s just a misleading UI in my opinion.
> This attack appears to have been conducted from a PAT token linked to @tj-actions-bot account to which "GitHub is not able to determine how this PAT was compromised."
> Account Security Enhancements
> * The password for the tj-actions-bot account has been updated.
> * Authentication has been upgraded to use a passkey for enhanced security.
> * The tj-actions-bot account role has been updated to ensure it has only the minimum necessary permissions.
> * GitHub proactively revoked the compromised Personal Access Token (PAT) and flagged the organization to prevent further exploitation.
https://github.com/tj-actions/changed-files/issues/2464#issu...