Within eight days, the same campaign had cascaded from GitHub Actions to Docker Hub, npm, PyPI, and the VS Code extension marketplace. With just one token across five ecosystems, thousands of organizations were potentially impacted.
令人惊讶的是:仅凭一个访问令牌,攻击者在短短八天内就横跨五个主要生态系统(GitHub Actions、Docker Hub、npm、PyPI和VS Code扩展市场),影响了数千个组织。这展示了现代供应链攻击的规模和速度有多么惊人。