Apr 27
GitHub’s Supply Chain Warning Is Really About Secret Theft, Not Just Bad Packages
When developers hear “open source supply chain attack,” they usually picture a poisoned package. GitHub’s latest security post makes a sharper point: many modern supply-chain attacks are starting earlier, with secret exfiltration from CI/CD workflows. The bad package still matters, but it may be the downstream consequence rather than the first move. That distinction matters because it changes…