Need a little help from my friends

AJ ONeal (Home) coolaj86 at gmail.com
Fri Mar 22 17:21:02 MDT 2019


>
> I do see one other possible option:
> It may have been someone who knew about the vulnerability and, fearing
> that something might go wrong in the future, decided to take action now.
>
> In that case, however, I believe that it would have been ethical and
> appropriate for them to reach out to me.
>

Actually, the date that the account was created (March 9th) is highly
correlated to the most recent identity attack to a major project on GitHub
(March 6th).

I could see another possibility - that GitHub did the quickest possible
hack to disable re-registration of accounts with repos with more than 100
stars - insert a dummy user into the database - but didn't go through the
effort of coding up redirects for dummy users to the real ones yet.

I notice that my new redirects are still intact, just my old redirects
(which was one of the ways I was alerted to the problem) are broken. If
it's an attacker they could create a repository with the same name as one
of my old repos at any time and take it over. However, if it's just a quick
duct tape fix from GitHub, that also makes sense and would mostly bring me
peace.

I would like to be able to slap a "now @solderjs" on there, but if the
redirects stay in place and it's not actually an attacker account, that
would ease my mind quite a bit.

AJ ONeal
https://git.coolaj86.com


More information about the PLUG mailing list