mobx icon indicating copy to clipboard operation
mobx copied to clipboard
verified publisher icon mobxjs

Compromised Token

Open guedou opened this issue 3 months ago • 3 comments

Hello,

@gitguardian has identified that a commit recently introduced into your repository is exfiltrating the secrets used in your GitHub actions: https://github.com/mobxjs/mobx/commit/69ab7c3df5659bf17eb0eb1372aae30c3055fc99

We recommend that you act quickly, starting by reverting the commit and revoking the secrets.

We are available if you need any help.

Best regards, Guillaume on behalf of the @GitGuardian security research team

guedou avatar Sep 05 '25 13:09 guedou

Thanks for reporting @guedou ! I reverted the commits and blocked the user. I also removed some other members that didn't ring a bell to me directly. If I removed someone by accident, I'll link to this comment with an apology and feel free to reach out through personal channels to get restored :)

mweststrate avatar Sep 05 '25 16:09 mweststrate

@mweststrate I'd also suggest rotating the COVERALLS_REPO_TOKEN token, since it was exfiltrated.

scovetta avatar Sep 05 '25 16:09 scovetta

Will you be willing to share your GitHub audit logs to help us investigate the root cause?

guedou avatar Sep 10 '25 07:09 guedou