Mwa kusokoneza njira yotulutsira GitHub Actions mu malo osungira a RedHatInsights a Red Hat, owukira adatha kufalitsa mitundu 64 yoyipa ya maphukusi 32 a NPM a nsanja ya Red Hat Cloud Services ku chikwatu cha NPM. Mitundu iwiri yoyipa ya phukusi lililonse la NPM loyipa idatulutsidwa, iliyonse ili ndi code yomwe idayambitsa mtundu watsopano wa nyongolotsi ya mini-shai-hulud, yomwe imafufuza ma tokeni ndi ziyeneretso zomwe zili m'malo omwe alipo.
Nyongolotsiyo inayikidwa mu fayilo ya index.js ndipo inayatsidwa kudzera mu chogwirira ntchito choyimitsidwa kale chomwe chimatchedwa poyika phukusi lomwe lili ndi kachilomboka. Ikayatsidwa, nyongolotsiyo inafufuza dongosololi kuti ipeze ma tokeni a NPM (~/.npmrc), PyPI, CircleCI, AWS, GCP, Docker, Azure, HashiCorp, ndi KubernetesK8s, komanso makiyi achinsinsi a SSH. Deta yomwe idapeza idatumizidwa kwa owukira. Ngati tokeni ya NPM yapezeka, nyongolotsiyo idasindikiza zokha ma virus atsopano omwe akupangidwa m'malo omwe alipo, zomwe zimayambitsa matenda a mtengo wodalira.
Kupeza mwayi wopeza zochita za GitHub kunapezeka mwa kusokoneza akaunti ya wantchito wa Red Hat, zomwe zinalola owukirawo kukankhira mwachindunji ma commits ku javascript-clients, frontend-components, ndi platform-frontend-ai-toolkit repositories popanda kudutsa mu ndondomeko yowunikira. Ma commits awa adayika fayilo ya ci.yaml mu dongosolo lophatikizana lokhazikika, lomwe, poyendetsa build, lidayendetsa script ya _index.js pogwiritsa ntchito nsanja ya bun. Script idagwiritsa ntchito chilolezo cha "id-token: write" kupempha chizindikiro cha OIDC (OpenID Connect) kuchokera ku GitHub, chomwe kenako chidagwiritsidwa ntchito potsimikizira ndi NPM kudzera mu njira ya "trusted publishing".
Maphukusi a NPM okhala ndi khodi yoyipa:
- @redhat-cloud-services/chrome (2.3.1, 2.3.2)
- @redhat-cloud-services/compliance-client (4.0.3, 4.0.4)
- @redhat-cloud-services/config-manager-client (5.0.4, 5.0.5)
- @redhat-cloud-services/entitlements-client (4.0.11, 4.0.12)
- @redhat-cloud-services/eslint-config-redhat-cloud-services (3.2.1, 3.2.2)
- @redhat-cloud-services/frontend-components (7.7.2, 7.7.3)
- @redhat-cloud-services/frontend-components-advisor-components (3.8.2)
- @redhat-cloud-services/frontend-components-config (6.11.3, 6.11.4)
- @redhat-cloud-services/frontend-components-config-utilities (4.11.2, 4.11.3)
- @redhat-cloud-services/frontend-components-notifications (6.9.2, 6.9.3)
- @redhat-cloud-services/frontend-components-remediations (4.9.2, 4.9.3)
- @redhat-cloud-services/frontend-components-testing (1.2.1, 1.2.2)
- @redhat-cloud-services/frontend-components-translations (4.4.1, 4.4.2)
- @redhat-cloud-services/frontend-components-utilities (7.4.1, 7.4.2)
- @redhat-cloud-services/hcc-feo-mcp (0.3.1, 0.3.2)
- @redhat-cloud-services/hcc-kessel-mcp (0.3.1, 0.3.2)
- @redhat-cloud-services/hcc-pf-mcp (0.6.1, 0.6.2)
- @redhat-cloud-services/host-inventory-client (5.0.3, 5.0.4)
- @redhat-cloud-services/insights-client (4.0.4, 4.0.5)
- @redhat-cloud-services/integrations-client (6.0.4, 6.0.5)
- @redhat-cloud-services/javascript-clients-shared (2.0.8, 2.0.9)
- @redhat-cloud-services/notifications-client (6.1.4, 6.1.5)
- @redhat-cloud-services/patch-client (4.0.4, 4.0.5)
- @redhat-cloud-services/quickstarts-client (4.0.11, 4.0.12)
- @redhat-cloud-services/rbac-client (9.0.3, 9.0.4)
- @redhat-cloud-services/remediations-client (4.0.4, 4.0.5)
- @redhat-cloud-services/rule-components (4.7.2, 4.7.3)
- @redhat-cloud-services/sources-client (3.0.10, 3.0.11)
- @redhat-cloud-services/topological-inventory-client (3.0.10, 3.0.11)
- @redhat-cloud-services/tsc-transform-imports (1.2.2)
- @redhat-cloud-services/types (3.6.1, 3.6.2, 3.6.4)
- @redhat-cloud-services/vulnerability-client (2.1.8, 2.1.9)
Source: opennet.ru
