Within eight days, the same campaign had cascaded from GitHub Actions to Docker Hub, npm, PyPI, and the VS Code extension marketplace. With just one token across five ecosystems, thousands of organizations were potentially impacted.
这个跨生态系统攻击的速度和范围令人恐惧,展示了现代软件供应链的脆弱性。一个被窃取的凭证就能在多个生态系统间快速传播,这种级联效应使防御变得极其困难。