> The attack methodology involved a particularly sophisticated approach. Attackers inserted a base64-encoded payload into an install script, causing secrets from affected CI workflows to be exposed in workflow logs.<p>What? How is that sophisticated? Who wrote this?<p>I still don't understand how we got to this point where CI/CD pipelines are built from random shit on the internet. I remember people being worried about packages in the system package manager curated by a (relatively) small set of trusted project maintainers. Now we're pulling in garbage written by who knows, under security guidance of nobody. At least the Arch Repo has a procedure and a trust network.<p>Every time I have to use GitHub actions and it recommends me using some "community" action I can't do it. I just know it's written by some 12-year old on spring break.