
Research
/Security News
Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Slack bot to convert uploads into Git commits/PRs. Also, since Excel is so popular, transform XLSX into YAML for techies.
Deploy this repo to Heroku or any other Node.js host.
Set up environment vars (config vars in Heroku):
TARGET_GIT_URL
: Git repo URL for commit access
https://<user>:<personal-token>@github.com/<user>/<repo>.git
https://github.com/alice/hello-world
and the secret personal access token is abcd1234
, use: https://alice:abcd1234@github.com/alice/hello-world.git
SLACK_AUTH_TOKEN
: Slack bot integration token
xyz-12345678-ABCDabcd12345678
Add the description file to your repo root: .git-inbox.yml
:
# file upload and conversion configuration
files:
# simple file upload examples
- hello/acme.txt # any file upload named "acme.txt" saved into "hello/acme.txt"
- in: *foobar*.txt # any text file upload containing "foobar" in the name
out: beep.txt # saved in "beep.txt"
# Excel to YAML conversion examples
- data/boop.yml # any Excel file upload starting with "boop" converted to YAML and saved into "data/boop.yml"
- in: hi.xlsx # any Excel file named "hi.xlsx"
out:
format: yaml # convert to YAML
path: my/sub/folder/hithere.yaml # save into given repo path
# publish to repo using GitHub pull requests
push:
type: github-request # open a GitHub pull request
base: master # use "master" as base branch (default)
# alternative mode: direct commit to branch
# push:
# type: branch # push to branch
# branch: development # commit to "development" branch
Now, any time you upload something to the Slack channel where the bot lives, it will commit that file and create a pull request to the target repo! 🤖
npm install
cat <<EOF > env.sh
export TARGET_GIT_URL=https://<user>:<personal-token>@github.com/<user>/<repo>.git
export SLACK_AUTH_TOKEN=<auth-token>
EOF
# Slack tests
. env.sh
supervisor --extensions 'js,yml' slack.js
FAQs
git-inbox: Slack bot to convert uploads into Git commits/PRs
The npm package git-inbox receives a total of 0 weekly downloads. As such, git-inbox popularity was classified as not popular.
We found that git-inbox demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Research
/Security News
Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.
Security News
The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.