The same thing occurred on the trivy repo a few days ago. A GitHub discussion about the hack was closed and 700+ spam comments were posted.
I scrolled through and clicked a few profiles. While many might be spam accounts or low-activity accounts, some appeared to be actual GitHub users with a history of contributions.
I’m curious how so many accounts got compromised. Are those past hacks, or is this credential steeling hack very widespread?
Are the trivy and litellm hacks just 2 high profile repos out of a much more widespread “infect as many devs as possible, someone might control a valuable GitHub repository” hack? I’m concerned that this is only the start of many supply chain issues.
Edit: Looking through and several of the accounts have a recent commit "Update workflow configuration" where they are placing a credential stealer into a CI workflow. The commits are all back in february.
Update: It looks like the accounts have all been deleted by github, including their repos. They are 404 pages now. Their repos + recent malicious commits are all just 404 pages now.
I'm curious what the policy is there if the accounts were compromised. Can the original users "restore" their accounts somehow? For now it appears the accounts are gone. Maybe they were entirely bot accounts but a few looked like compromised "real" accounts to me.
Yep my coworker hnykda, first reply confirming the report, got his account deleted for a while earlier. Definitely not the best way of handling this...
I run NixOS and the number of times ive been able to install something 'normally' (not via nixpkgs/flake) is approximately zero. You cant go to a website and download a binary and just run it. Almost every program references a shared library and wont be able to find it.
Nixpkgs is very complete in my experience, and in the instances where its not, someone usually has made a flake. The only times ive had to custom-make a flake were extremely new programs, or extremely old ones. Often the newer programs had PRs waiting on nixpkgs anyway, and were only a few days away from building properly in nixos-unstable.
They said Nix, so I was thinking about macOS + nix-darwin when I wrote that.
You're right. When I tried using NixOS as my main desktop experience for a few months, I ended up with a custom derivation for various apps I used. That's probably why I made the claude code and cursor modules in the first place.
But I'm also remembering I made my own keepassxc module because keepassxc wants to be able to write to its config file, but I also want to configure it from nix, so I had to make my module use an activation-time script to merge nix config into the keepassxc config file.
I lost interest in NixOS for day to day personal computing, though vibe-coding modules like that wasn't as big of a dealbreaker as there being almost zero laptops that compete with a Macbook.
The other pain is Linux desktop environment stuff in general like dealing with interactions between a Steam game, wayland, and wayland-satellite. Though NixOS helped there since it was easy for an AI agent to investigate the issue, inspect the nix config, and make a targeted, commented patch that shows up in git.
> the number of times ive been able to install something 'normally' (not via nixpkgs/flake) is approximately zero. You cant go to a website and download a binary and just run it
It doesn't help that there are two NixOS wikis. nixos.wiki and wiki.nixos.org.
wiki.nixos.org claims that nixos.wiki is outdated and unofficial. But both appear to receive updates, and which one wins the SEO game is a coinflip whenever i google a nixos question.
Some of them were likely already compromised before these incidents, here's one of the accounts near the top making malicious commits to its own repository before the first hack:
This is a quite scary map. They are all over my local area. It may technically be possible to route a drive around them, but if you take the most convenient path between any two points at least one camera will spot you. I'd have to leave my neighborhood through back roads and enter local shopping areas through sidestreets.
This data shouldn't even be collected in the first place, let alone consolidated into a national network that any police officer can decide to spy on me through.
Download osm data, extract roads and surveillance, gpd overlay how=difference, remove/edit the different osmid's, write to pbf file, convert to obf file w/ osmandmapcreator, import into OsmAnd.
Now you have turn by turn navigation around ALPRs on your phone.
> Now you have turn by turn navigation around ALPRs [that we -- regular people -- know about] on your phone [while still being observed by the ones we don't know about].
I made a version which does the avoidance dynamically at runtime, works for any tracks you want to use: https://alprwatch.org/navigation. It works fully offline after you download the maps and overlays
I can't speak to flock but I know that other vendors in the space have software designed to calculate optimal locations to maximize probability at least one license plate scan for every trip taken.
Presumably that software can then be used to upsell additional cameras because with an increased density your capabilities start to approximate real-time live position tracking instead of just getting approximate locations of hot plates.
It can be. FLOCK data was used to put Bryan Kohberger at the scene along with other people's security camera's. Cops regularly use FLOCK camera's to get hits for criminals that have warrants for violent crime.
I can see why people are ok with them when they're used to get criminals off the streets. However, I've seen multiple times where cops initiate a felony stop (where people are pulled out at gunpoint and detained) against a car they got a hit on - only to find out the person they really wanted wasn't driving or even in the car at all.
What's interesting is businesses and houses have so many cameras nowadays that the first thing cops do when they get to the scene of a violent crime is canvas the area for camera's. So yeah, you can avoid FLOCK, but there are most likely hundreds of other camera's that will capture you driving through any given area.
You can't rely on Flock's "transparency" reports either, they're woefully inadequate. In our County, the Sheriff spoke of a PD in the County getting a Flock hit. It was news to many, including Flock's transparency site, that that PD was a user of their services.
There's a disclaimer when you first open the page that the map is incomplete and that users need to submit the data. It's possible that data hasn't been submitted/parsed yet
I can't find anything corroborating that example either.
I've been seeing a lot of similar grandiose claims made in random comments/Tweets/etc recently that Flock solved this or that specific high profile case that have also turned up zero proof when I did research.
I'm not sure whether it's just individual techno optimist fantasy that somehow becomes confabulated in the brain with some other crime in the news as if Flock was actually used, an organized persuasion/lobbying/misinformation campaign, or something else. But I'm seeing it a lot now which feels a bit concerning.
There have been numerous instances where cops used it to stalk exes, etc. If it isn't already, it will be used to stalk a blacklist of dissidents. It will continue to happen as long as the system exists.
But the cameras that the law enforcement officers canvas in the area aren't centrally aggregated and tagged with meta data such that they can be queried at scale.
Which is fine, because those are owned by private citizens and companies and those citizens are giving their permission to the police to use them. That's the difference between centralized government survalience and CCTVs
> However, I've seen multiple times where cops initiate a felony stop
At what point do we accept that all systems are flawed? There could be many variables as to why the perp wasn't in the car. Maybe the perp stole the car. Maybe the perp borrowed the car. Maybe these systems do not work well in fog etc etc. I don't know how we're supposed to advance technology that makes us safer without getting into these muky situations from time to time.
Flock, like Palantir, is the Torment Nexus from the famous novel Don’t Create The Torment Nexus.
Considering the potential and demonstrated abuse there must be more robust guardrails than currently exist. The required level of safety is more like “nuclear launch codes” or “commercial airliner”, not “local used car lot landing page”.
They do, especially in cities and wealthy suburbs (and honestly a lot of poor rural areas too).
The difference is these typically don't zap that data up to a central database that any agency in the country can access, the way Flock does if only because the security people at Flock are a joke.
No they don’t. You are conflating “any” with “every”.
In my city, the plate reader cop cars have 4 smallish boxes, each mounted above a quarter panel. At most about 1/20 of the police cars for my local PD has these installed.
It’s more likely that private sector cars have them installed because car repo companies will pay bounties for license plate hits on a car they have an active repo contract for.
If you want to explore navigation I made an app: https://alprwatch.org/navigation. It works fully offline, you just need to download the maps and overlays
They are all over certain neighborhoods and areas in my metro.. At first I thought it was due to the wealth of the neighborhoods but.. Now I'm wondering if the maps is just not fully filled in :|
wow. quite literally the only ones in my area are surveilling the county park / community center. that's creepy. I'll just have to assume they're doing something creepier at the public library.
We are all being investigated by the Feds 24/7 — that's what dragnet surveillance is: indiscriminate investigation at scale to be used retroactively.
"Don't do anything bad and nothing will happen" is frankly asinine to me, personally. That same logic could extend to stop-and-frisk or random door-to-door visits to check for citizenship.
Uh speak for yourself but some of us are doing the good crimes and would rather like to continue that fight from outside prison and without being shot in the face.
I like the concept of them, and I want them to work well purely so people stop using bad passwords. But nearly everywhere does it differently and weirdly and likely wrongly.
When I log into my Amazon account with a passkey, it then asks me for a 2FA code. The 2FA code is stored on the same device as a passkey, that step literally does nothing. After I do the 2FA code, it then prompts me to create a passkey. No! I have one. I signed in with one.
Some devices give me the option to use a QR code. I like that option usually, I can easily use my phone to authenticate. But sometimes i can’t get the QR code to appear. Support varies by OS, browser, and set of installed extensions. And there’s no easy way to control which of those three handles the passkey when something decides wrongly.
I had to troubleshoot something on someone else’s computer, and saw that they logged in to windows with a passkey and QR code. I’ve looked, and I can’t seem to set that up on my windows computer. There isn’t an option to and I have no idea why.
Beware that Passkey storage is limited though and I don't think you can reuse one for multiple sites. My Yubikey 5 NFC stores up to 32 and you should have some redundancy if you ever lose it. You also can't export them. I only use passkeys (in Bitwarden) for things I don't care about.
As someone who's looking into possibly getting a YubiKey 5 NFC actually, I would like to ask: if you can't export the entries, if you make a backup of the YubiKey (perhaps with the magic of buying two of them), then how would one ensure redundancy?
This does unfortunately actually work pretty well as a security measure. The new domains that are cheap and good for fun side projects, are also cheap for scammers.
For a while I noticed all the scam links my grandmother was getting were from ‘.top’ domains. I fully blocked it at the DNS level. Her DNS settings also block all newly registered sites for 90 days. She hasn’t ever had issues with it. But these have actively prevented her from clicking on scam links multiple times.
Facebook, google, and all the popular sites are all older than 90 days, on popular well known TLDs. My grandmother doesn’t seek out new trendy sites.
It was definitely something I considered when buying a new domain. I sorted by price, and then immediately ignored all the cheapest domains that were ~$1 because I’ve seen them being used for scams. They may be cheap but good luck using them.
I’m pretty sure YouTube’s built-in AI summary is also biased towards not “spoiling” the video.
Like if the title is a clickbait “this one simple trick to..” the ai summary
right below will summarize all the things accomplished with the “trick” but they still want you to actully click on the video (and watch any ads) to find out more information. They won’t reveal the trick in the summary.
So annoying because it could be a useful time saving feature. But what actually saves time is if I click through and just skim the transcript myself.
The ai features are also limited by context length on extremely long form content. I tried using the “ask a question about this video” and it could answer questions about the first 2 hours in a very long podcast but not the last third hour. (It was also pretty obviously using only the transcript, and couldn’t reference on-screen content)
They specifically avoid sending traffic through tailscale servers whenever possible. That’s how the free tier stays free. Most connections are direct, P2P.
The traffic that does go through their servers is encrypted, and bandwidth limited on the free plan. Any snooping on client behavior would have to be done client side, and the clients are all open source. To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.
I think they do have some “service detection” which can basically port-scan your devices to make services visible in the web UI. But that is easy to disable. And premium/enterprise tiers can intentionally log traffic statistics.
> To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.
Metadata is as good as data for deducing your behavior. Think what conclusions can be drawn about a person's behavior from a log of their network connections, from each connection's timestamp, source, destination, and port. Think about the way each additional thing-which-makes-network-requests increases the surveillance value of all the others.
Straight away, many people's NTP client tells the network what OS they use: `time.windows.com`? Probably a Windows user. `time.apple.com`? Probably Mac or iOS. `time.google.com`? You get the idea. Yeah, anyone can configure an NTP client to use any of those hosts, but the vast vast majority of people are taking the default and probably don't even know what NTP is.
Add a metadata point: somebody makes a connection to one of the well-known Wi-Fi captive portal detection hosts around 4PM on a weekday? Maybe somebody just got home from school. Captive portal detection at 6PM on a weekday? Maybe somebody just got home from work. Your machines are all doing this any time they reconnect to a saved Wi-Fi network: https://en.wikipedia.org/wiki/Captive_portal#Detection
Add a metadata point: somebody makes a network connection to their OS's default weather-widget API right after the captive-portal test, and then another weather-API connection exactly $(DEFAULT_INTERVAL} minutes later? That person who got home is probably still home.
I don’t mean P2P in the same sense that BitTorrent or something is P2P. (Splitting one connection into many distributed ones) But more like how a game that does P2P multiplayer has the clients connect directly instead of through a centralized service.
I scrolled through and clicked a few profiles. While many might be spam accounts or low-activity accounts, some appeared to be actual GitHub users with a history of contributions.
I’m curious how so many accounts got compromised. Are those past hacks, or is this credential steeling hack very widespread?
Are the trivy and litellm hacks just 2 high profile repos out of a much more widespread “infect as many devs as possible, someone might control a valuable GitHub repository” hack? I’m concerned that this is only the start of many supply chain issues.
Edit: Looking through and several of the accounts have a recent commit "Update workflow configuration" where they are placing a credential stealer into a CI workflow. The commits are all back in february.
reply