For git folks
Mark Wieder
ahsoftware at sonic.net
Sun May 5 00:09:13 EDT 2019
On 5/4/19 7:09 PM, J. Landman Gay via use-livecode wrote:
> No idea how prevalent this is:
> Mystery Git ransomware appears to blank commits, demands Bitcoin to
> rescue code • The Register
It affects github, gitlab, bitbucket, etc, and seems to stem from some
folks storing their login passwords in .git/config, which is a really
really really stupid thing to do. And you have to go out of your way to
do it.
Fortunately the "hack" just involves adding a new commit to the top of
the stack, so there are some easy ways to recover. The ransom demand
isn't so much a threat to keep code hidden but to make the "stolen" code
public, which would really only affect private repositories.
<https://security.stackexchange.com/questions/209448/gitlab-account-hacked-and-repo-wiped>
And people store some interesting things in git repos. A few years ago
at work I found our AWS credentials in cleartext in a repo. A private
repo, but even so we had to wipe them from the repo, force push the new
repo to github, and create new credentials as environment variables.
--
Mark Wieder
ahsoftware at gmail.com
More information about the use-livecode
mailing list