zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-16 05:43:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Expand Mini Shai-Hulud IOC coverage (#1921)

Browse Source
This commit is contained in:
Affaan Mustafa
2026-05-15 03:20:10 -04:00
committed by GitHub
parent 4774946db5
commit f04702bdac
5 changed files with 71 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/security/supply-chain-incident-response.md
View File

@@ -29,6 +29,12 @@ credentials:
files such as `.github/workflows/codeql_analysis.yml`, and Python runtime
payloads such as `transformers.pyz` / `pgmonitor.py`. Remove those
persistence hooks before rotating a stolen GitHub token.
- The scanner also watches for late-reporting markers: `router_init.js`
SHA-256 prefix/suffix `ab4fcada...8601266c`, `tanstack_runner.js`
SHA-256 prefix/suffix `2ec78d55...6be27fc96`,
`opensearch_init.js`, `vite_setup.mjs`, campaign salt `svksjrhjkcejg`,
Session protocol strings, `claude@users.noreply.github.com` dead-drop
commits, `dependabout/` branch names, and `OhNoWhatsGoingOnWithGitHub`.
- The attack chain combined `pull_request_target`, GitHub Actions cache
poisoning across a fork/base trust boundary, and OIDC token extraction from a
GitHub Actions runner.