For git folks

Mark Wieder ahsoftware at sonic.net
Sun May 5 00:09:13 EDT 2019


On 5/4/19 7:09 PM, J. Landman Gay via use-livecode wrote:
> No idea how prevalent this is:
> Mystery Git ransomware appears to blank commits, demands Bitcoin to 
> rescue code • The Register

It affects github, gitlab, bitbucket, etc, and seems to stem from some 
folks storing their login passwords in .git/config, which is a really 
really really stupid thing to do. And you have to go out of your way to 
do it.

Fortunately the "hack" just involves adding a new commit to the top of 
the stack, so there are some easy ways to recover. The ransom demand 
isn't so much a threat to keep code hidden but to make the "stolen" code 
public, which would really only affect private repositories.

<https://security.stackexchange.com/questions/209448/gitlab-account-hacked-and-repo-wiped>

And people store some interesting things in git repos. A few years ago 
at work I found our AWS credentials in cleartext in a repo. A private 
repo, but even so we had to wipe them from the repo, force push the new 
repo to github, and create new credentials as environment variables.

-- 
  Mark Wieder
  ahsoftware at gmail.com




More information about the Use-livecode mailing list