At least my naive brain wonders if blocking force pushes to main would have stopped this as it is a setting in Github these days, unless I am misunderstanding the final attack vector since it seems it was force pushed.
At least my naive brain wonders if blocking force pushes to main would have stopped this as it is a setting in Github these days, unless I am misunderstanding the final attack vector since it seems it was force pushed.
Noone force-pushed to main in the actual repo. The attacker force-pushed to main in their own fork, but the actual repo had a CI job configured that ran code from the fork in response to changes in that fork.
Ah that makes more sense I was kind of confused by that.