Within eight days, the same campaign had cascaded from GitHub Actions to Docker Hub, npm, PyPI, and the VS Code extension marketplace. With just one token across five ecosystems, thousands of organizations were potentially impacted.
令人惊讶的是:一个单一的访问令牌可以在短短八天内横跨五个主要生态系统(GitHub Actions、Docker Hub、npm、PyPI和VS Code扩展市场),自动传播恶意代码,影响数千个组织。这种级联供应链攻击展示了现代软件生态系统的脆弱性。