chore(blog): publish postmortem on recent security breach #4640
Conversation
Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>
Shurtu-gal
requested review from
Mayaleeeee,
TRohit20,
akshatnema,
anshgoyalevil,
asyncapi-bot-eve,
derberg,
sambhavgupta0705 and
thulieblack
as code owners
✅ Deploy Preview for asyncapi-website ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
asyncapi-bot
requested review from
CBID2,
bandantonio,
devilkiller-ag and
vishvamsinh28
WalkthroughAdds a new markdown blog post documenting the Shai‑Hulud security incident with frontmatter, a detailed incident timeline and narrative, response and remediation actions, attack‑chain analysis, affected parties, next steps and lessons learned, an embedded (partially obfuscated) JavaScript/Bun payload snippet, and a banner image. (≤50 words) Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🧰 Additional context used🧠 Learnings (3)📚 Learning: 2024-11-25T18:34:51.303ZApplied to files:
📚 Learning: 2024-10-18T17:24:45.053ZApplied to files:
📚 Learning: 2025-01-19T04:51:41.255ZApplied to files:
🪛 LanguageToolmarkdown/blog/shai-hulud-postmortem.md[uncategorized] ~42-~42: The official name of this software platform is spelled with a capital “H”. (GITHUB) [grammar] ~99-~99: Use a hyphen to join words. (QB_NEW_EN_HYPHEN) 🪛 markdownlint-cli2 (0.18.1)markdown/blog/shai-hulud-postmortem.md22-22: Emphasis used instead of a heading (MD036, no-emphasis-as-heading) 23-23: Unordered list indentation (MD007, ul-indent) 24-24: Unordered list indentation (MD007, ul-indent) 25-25: Unordered list indentation (MD007, ul-indent) 26-26: Unordered list indentation (MD007, ul-indent) 27-27: Unordered list indentation (MD007, ul-indent) 28-28: Unordered list indentation (MD007, ul-indent) 29-29: Unordered list indentation (MD007, ul-indent) 30-30: Unordered list indentation (MD007, ul-indent) 31-31: Unordered list indentation (MD007, ul-indent) 32-32: Unordered list indentation (MD007, ul-indent) 44-44: Fenced code blocks should have a language specified (MD040, fenced-code-language) ⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
cc: @Florence-Njeri please let me know, if something needs to be added. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #4640 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 22 22
Lines 799 799
Branches 146 146
=========================================
Hits 799 799 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
⚡️ Lighthouse report for the changes in this PR:
Lighthouse ran on https://deploy-preview-4640--asyncapi-website.netlify.app/ |
![coderabbitai[bot]](data:image/webp;base64,UklGRiYKAABXRUJQVlA4WAoAAAA4AAAAOwAAOwAASUNDUOABAAAAAAHgbGNtcwQgAABtbnRyUkdCIFhZWiAH4gADABQACQAOAB1hY3NwTVNGVAAAAABzYXdzY3RybAAAAAAAAAAAAAAAAAAA9tYAAQAAAADTLWhhbmR56b9WWj4BtoMjhVVG90+qAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApkZXNjAAAA/AAAACRjcHJ0AAABIAAAACJ3dHB0AAABRAAAABRjaGFkAAABWAAAACxyWFlaAAABhAAAABRnWFlaAAABmAAAABRiWFlaAAABrAAAABRyVFJDAAABwAAAACBnVFJDAAABwAAAACBiVFJDAAABwAAAACBtbHVjAAAAAAAAAAEAAAAMZW5VUwAAAAgAAAAcAHMAUgBHAEJtbHVjAAAAAAAAAAEAAAAMZW5VUwAAAAYAAAAcAEMAQwAwAABYWVogAAAAAAAA9tYAAQAAAADTLXNmMzIAAAAAAAEMPwAABd3///MmAAAHkAAA/ZL///uh///9ogAAA9wAAMBxWFlaIAAAAAAAAG+gAAA48gAAA49YWVogAAAAAAAAYpYAALeJAAAY2lhZWiAAAAAAAAAkoAAAD4UAALbEcGFyYQAAAAAAAwAAAAJmaQAA8qcAAA1ZAAAT0AAACltBTFBIswIAAAGgBMm2adsaR8+2bdu2bdu2bdu2bdu2bev7nzsae601176t/3sRMQH4nz56hcEbL7/+nf/+eHJ8Scdc/lAUv8vRfyj8sqxiIHTkWPkXrb7uG8W9KMtp/2NTt2o8p3bxojshEnJbQjcirqNhfyBp/ycS/mhoL9Jpmm4HAG//3wVkN1tJb9P4ezg4M9yUhAy1E+chhQ0UiLxVQE6z4TlC6SUVfIckbGKhH+W9VEjwUfI9jajoPxaCjVRoLOHFgCDCC9r8t4nKe1vCIYIBNP68a1y7hs37L70fsiKKA/VFf6Q0iv7dbCu0mSa+aOHwf5BwlVE3CptpgPg75ngAbBb9Hc/kuuSPYjqgx3IfUL91iQKFyrVe8k7DPgaFKP5W2AB5WsPQW/Wa6q7BbBl/q26AdGENAF+fvxzMoHthgcHZkXTifK8d/TWpaPdl18iWkPgWyeOaapbID33j2EGC5+RvXlU/ayRfLW2a0gKykkyummbpryCV92zkIVlAtUL2ZnrFpGHgiZGr6fz7ZHYLLUlWVG2Q/NHVB9O8y/paWEuypmqt4F42SMPK4vxGsqpqvtnJyHB/NkmWUI02+hQX7hcLOjKr2ho1h/t5PtAZVVXI5BhcDz/odzofQx3pX4N8ruW9S/VyDU7pLsHloruC1NbXtVed39LQnQL7afgzoi76n44hcNc/n8abYLjBEcudKIdoXs0kvyMp4GvgtxU4SfOHXhOcItkP6JAdtutR2AHGJUn+KOXbD6k/h2ad4H44M8wkGdy5QYTsK+Mrrpr9kQ3CMHdIcp0Mee9Gd5w1Gw5xtm8kL1vA8UvRAFT8YnIqrAx535AhmSxM59GwACJ0/qk5FAU2Y8/+nWf8svXkej8ADFE8aemD5ThDzvUUhf1M8nhCAO3Jd9sb+RGafdGcEQEEIoTFf/YAVlA4IKIEAADwFwCdASo8ADwAPm0wlEckIqIhKBgLUIANiWwAxQrtAieI/kB7ItOflf354ww6PZX++/ovUA+6P3AP0y6QHmA/ZP9pOxR6AH9S/ynWE+gB5bH7JfBV+3v7Pe0Tml/Y1ImtgQYFIq/yngplhc2P0r7Af8p/svVi9CD9bl+VYlUwnzv++8owqGnO5leKazlW50zNFdd32qddDYvvtVS2ZLck7GBjtJDrEvRJ5MBj+4wsicFv4/k/Hb+pFvIfNdu+IZWmLf61oO4MKAD+/jtqPuCUi0e6byZ5BglgWCsVeiCosQoiTuWX3/mqaKavQGe//iXmu0l8tUgL7esrfxfGRB8U1rfRxq0mZC5BfKIXBmib82KRlJ1+mPfs234nzPoFNvAEtvSxrCkmy7M7mZPi1jdrvuU/beIopoqlkLS67wkUcJn/UyOzybueyYmZWi/Ffj8IvtklfWSJ/BDbGZ6rIPadZV+L9BOU5VNG/C3GxJ4fT+XY//5zH/87F//5zOUa4czZZ9IaZBZz/oAFfxxRtkj/i6+rvdR3cT7srXgpS0BWPCp6h9JqojrA1ZXsPK+fZo3P/BLXmpfgxfuJGERVcEFzGxr7GJfjGyahNwZevft0yML0+0aZTR3w15Sam555JtEG5du2UDCv7K050BMu1ysXoJwyLKcdRL3gZAdaBWWHW1m43fjs8VYwG/zsDwOqmubxG8CCukxNA0BtwTRWnIip0mWFGzi3eOosYuB6PcjtLm5apdsLJlxRbfP12HHBYD+UKUmyLnNSn9nQnfFcpa2556UuenbYmdGx1HBEktyqPp9TTRII7yCipsww+bwfKXNqX89+IQh59upexLIUVv/AHSqckawZlARfb7P/+4vWijsLvu6p4LQeJhxXBUbeR6r/CFOldlNr3mNBK584x8RksVdg0Asru9B3pWM0wUr4xajpBP4krJLXhnWrgjQKh5aerr0Yy80TyAmtKI689AYb4SWNaLStgvBc9qeGwQYgs876Sl+Ud2pqxbkpd4Gct3kPhpPbxwHnWRufd65k8iL0NnhIAmBBl5lBE9YVMHutD6HPvajfMCw+GHX9sIkYK79e8EFHaQvXqueOj6TVls5nJngh4LCMQqvmEzGoFU0BF0QEMcr/vufeMFgm35cTUXgTw1OT6qtXOOLifEQpGDG21nkwK4tb5Pr1vc3pCmgxppM81mrubblS8JBkXjCSDxIgVw3XENXwSGDhjdT3hA/Lfq3wuhevSuFVFxSQgQ9Rhyswgaf32SBMpSKjz12G/iNAdHTcOxeSM+3XAVgBGvfM21n5HIlfFsqUMqelFmaFGdoGnINt8Kl/ytrvLR8BR67Rt0nnb9irtaNlXWprjtUZd0a41GvrCXkboa1H1FEY/sXoQSG7DNZlskHxVX330Vf/2/luduXzSNqoP8sWcKG/2mBuLMKe96RFw9FPfLFXxfCaUfWiHamg5x+2f4ARixwNKbnc/Ls3pBGx782FpoAs36AU1r3+LrIvDfue4sFVFbcVX/a7ehq5pcnfhw0qBXWVu4X6SqflkwyuXtgF+tbUrVATtUSWw+254QeSCBDTo0AARVhJRroAAABFeGlmAABJSSoACAAAAAYAEgEDAAEAAAABAAAAGgEFAAEAAABWAAAAGwEFAAEAAABeAAAAKAEDAAEAAAACAAAAEwIDAAEAAAABAAAAaYcEAAEAAABmAAAAAAAAAEgAAAABAAAASAAAAAEAAAAGAACQBwAEAAAAMDIxMAGRBwAEAAAAAQIDAACgBwAEAAAAMDEwMAGgAwABAAAA//8AAAKgBAABAAAAPAAAAAOgBAABAAAAPAAAAAAAAAA=){kind=small}
Actionable comments posted: 2
🧹 Nitpick comments (1)
markdown/blog/shai-hulud-postmortem.md (1)
96-96: Fix hyphenation in compound adjective.Line 96 uses the compound adjective "limited scope tokens" but it should be hyphenated as "limited-scope tokens" when modifying a noun.
Apply this diff:
-- Token rotation and limited scope tokens should be enforced. Our current NPM token was 3 years old. +- Token rotation and limited-scope tokens should be enforced. Our current NPM token was 3 years old.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
public/img/posts/shai-hulud-postmortem/affected.pngis excluded by!**/*.png
📒 Files selected for processing (1)
markdown/blog/shai-hulud-postmortem.md(1 hunks)
🧰 Additional context used
🪛 LanguageTool
markdown/blog/shai-hulud-postmortem.md
[grammar] ~96-~96: Use a hyphen to join words.
Context: ...of failure. - Token rotation and limited scope tokens should be enforced. Our cur...
(QB_NEW_EN_HYPHEN)
🪛 markdownlint-cli2 (0.18.1)
markdown/blog/shai-hulud-postmortem.md
21-21: Emphasis used instead of a heading
(MD036, no-emphasis-as-heading)
22-22: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
24-24: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
25-25: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
26-26: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
27-27: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
28-28: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
29-29: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
30-30: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
31-31: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
32-32: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
44-44: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: cypress-run
- GitHub Check: Test NodeJS PR - windows-latest
- GitHub Check: Lighthouse CI
🔇 Additional comments (1)
markdown/blog/shai-hulud-postmortem.md (1)
17-99: LGTM on content and incident communication.The postmortem is comprehensive, transparent, and follows security incident communication best practices. The narrative clearly explains:
- What happened with timeline precision
- How the team responded
- The attack chain and root cause
- Actionable steps for affected users
- Concrete lessons learned with specific improvements (Trusted Publisher adoption, token rotation policy)
The external attributions (Aikido's analysis, reporter names) add credibility. Fix the three markdown formatting issues noted in prior comments, and this is ready to publish.
Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>
Actionable comments posted: 0
♻️ Duplicate comments (2)
markdown/blog/shai-hulud-postmortem.md (2)
22-33: Fix markdown formatting in incident timeline (duplicate of previous review).The timeline section has two outstanding issues from the previous review that remain unaddressed:
- Line 22: The emphasis-formatted date should be a level-3 heading per MD036.
- Lines 23–33: List items are indented with 2 spaces, but markdownlint requires 0-space indentation per MD007.
Apply this diff to fix both issues:
- **Mon, 24 Nov 2025** - - `03:58:47 UTC` — Pushing of malicious package versions to npm registry. +### Mon, 24 Nov 2025 +- `03:58:47 UTC` — Pushing of malicious package versions to npm registry. - - `10:02:00 UTC` — [Report by Charlie Eriksen](https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains) from Aikido about compromised packages. - - `10:32:00 UTC` — Acknowledgment of the issue by AsyncAPI team, and communication initiated to inform the community. - - `10:42:00 UTC` — Initial investigation and revoking of NPM tokens. - - `10:58:00 UTC` — Reported the incident to npm security team and started deprecating affected packages as unpublishing is not allowed with dependent packages. - - `11:46:00 UTC` — Action taken by NPM security team to unpublish the malicious packages. - - `13:33:00 UTC` — Suspected leak found in [vs-asyncapi-preview](https://github.com/asyncapi/vs-asyncapi-preview), as malicious version (1.0.1) was pushed to [OpenVSX Registry](https://open-vsx.org/extension/asyncapi/asyncapi-preview) through report from [Yusuke Sugamiya](https://x.com/DNPP) - - `13:45:00 UTC` — Revoked OpenVSX token and reported to OpenVSX security team. - - `14:30:00 UTC` — OpenVSX team unpublished the malicious package version. - - `15:45:00 UTC` — Incident report writing started. +- `10:02:00 UTC` — [Report by Charlie Eriksen](https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains) from Aikido about compromised packages. +- `10:32:00 UTC` — Acknowledgment of the issue by AsyncAPI team, and communication initiated to inform the community. +- `10:42:00 UTC` — Initial investigation and revoking of NPM tokens. +- `10:58:00 UTC` — Reported the incident to npm security team and started deprecating affected packages as unpublishing is not allowed with dependent packages. +- `11:46:00 UTC` — Action taken by NPM security team to unpublish the malicious packages. +- `13:33:00 UTC` — Suspected leak found in [vs-asyncapi-preview](https://github.com/asyncapi/vs-asyncapi-preview), as malicious version (1.0.1) was pushed to [OpenVSX Registry](https://open-vsx.org/extension/asyncapi/asyncapi-preview) through report from [Yusuke Sugamiya](https://x.com/DNPP) +- `13:45:00 UTC` — Revoked OpenVSX token and reported to OpenVSX security team. +- `14:30:00 UTC` — OpenVSX team unpublished the malicious package version. +- `15:45:00 UTC` — Incident report writing started.
45-58: Add language specifier to code block (duplicate of previous review).The code block is missing a language specifier, which markdownlint requires per MD040. Since this is JavaScript/Node.js code, add the
javascriptidentifier to the opening fence.Apply this diff:
-``` +```javascript async ["bundleAssets"](_0x349b3d) {
🧹 Nitpick comments (1)
markdown/blog/shai-hulud-postmortem.md (1)
97-97: Use hyphen to join compound modifier.On Line 97, "limited scope tokens" should be hyphenated as "limited-scope tokens" when used as a compound modifier before a noun.
Apply this diff:
-- Token rotation and limited scope tokens should be enforced. Our current NPM token was 3 years old. +- Token rotation and limited-scope tokens should be enforced. Our current NPM token was 3 years old.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
markdown/blog/shai-hulud-postmortem.md(1 hunks)
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2024-10-18T17:24:45.053Z
Learnt from: anshgoyalevil
Repo: asyncapi/website PR: 3301
File: scripts/markdown/check-markdown.js:0-0
Timestamp: 2024-10-18T17:24:45.053Z
Learning: In `scripts/markdown/check-markdown.js`, the script is not run in an asynchronous environment, so refactoring it to use `async/await` is unnecessary.
Applied to files:
markdown/blog/shai-hulud-postmortem.md
📚 Learning: 2024-11-25T18:34:51.303Z
Learnt from: akshatnema
Repo: asyncapi/website PR: 3378
File: scripts/markdown/check-markdown.js:1-1
Timestamp: 2024-11-25T18:34:51.303Z
Learning: When reviewing `scripts/markdown/check-markdown.js`, optimizations should be addressed in separate issues and not included in the current pull request.
Applied to files:
markdown/blog/shai-hulud-postmortem.md
🪛 LanguageTool
markdown/blog/shai-hulud-postmortem.md
[grammar] ~97-~97: Use a hyphen to join words.
Context: ...of failure. - Token rotation and limited scope tokens should be enforced. Our cur...
(QB_NEW_EN_HYPHEN)
🪛 markdownlint-cli2 (0.18.1)
markdown/blog/shai-hulud-postmortem.md
22-22: Emphasis used instead of a heading
(MD036, no-emphasis-as-heading)
23-23: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
25-25: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
26-26: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
27-27: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
28-28: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
29-29: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
30-30: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
31-31: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
32-32: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
33-33: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
45-45: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
- GitHub Check: Redirect rules - asyncapi-website
- GitHub Check: Header rules - asyncapi-website
- GitHub Check: Pages changed - asyncapi-website
- GitHub Check: cypress-run
🔇 Additional comments (1)
markdown/blog/shai-hulud-postmortem.md (1)
35-100: Postmortem content is thorough and well-structured.The narrative clearly documents the incident, response timeline, technical attack chain, user guidance, and lessons learned. The extensive code snippet appropriately illustrates the malicious payload. The lessons learned section demonstrates understanding of root causes and preventive measures (Trusted Publisher, token rotation, backup maintainers).
Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>
Actionable comments posted: 3
♻️ Duplicate comments (2)
markdown/blog/shai-hulud-postmortem.md (2)
22-33: Fix markdown formatting in incident timeline (MD036, MD007).The timeline section contains two persistent markdownlint violations flagged in prior reviews:
- Line 22: "Mon, 24 Nov 2025" uses emphasis instead of a level-3 heading (MD036).
- Lines 23–33: Timeline items are indented with 2 spaces, but must start at column 0 for unordered lists (MD007).
Apply this diff to resolve both issues:
## Incident Timeline -**Mon, 24 Nov 2025** - - `03:58:47 UTC` — Pushing of malicious package versions to npm registry. +### Mon, 24 Nov 2025 - - `10:02:00 UTC` — [Report by Charlie Eriksen](https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains) from Aikido about compromised packages. - - `10:32:00 UTC` — Acknowledgment of the issue by AsyncAPI team, and communication initiated to inform the community. - - `10:42:00 UTC` — Initial investigation and revoking of NPM tokens. - - `10:58:00 UTC` — Reported the incident to npm security team and started deprecating affected packages as unpublishing is not allowed with dependent packages. - - `11:46:00 UTC` — Action taken by NPM security team to unpublish the malicious packages. - - `13:33:00 UTC` — Suspected leak found in [vs-asyncapi-preview](https://github.com/asyncapi/vs-asyncapi-preview), as malicious version (1.0.1) was pushed to [OpenVSX Registry](https://open-vsx.org/extension/asyncapi/asyncapi-preview) through report from [Yusuke Sugamiya](https://x.com/DNPP) - - `13:45:00 UTC` — Revoked OpenVSX token and reported to OpenVSX security team. - - `14:30:00 UTC` — OpenVSX team unpublished the malicious package version. - - `15:45:00 UTC` — Incident report writing started. +- `03:58:47 UTC` — Pushing of malicious package versions to npm registry. +- `10:02:00 UTC` — [Report by Charlie Eriksen](https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains) from Aikido about compromised packages. +- `10:32:00 UTC` — Acknowledgment of the issue by AsyncAPI team, and communication initiated to inform the community. +- `10:42:00 UTC` — Initial investigation and revoking of NPM tokens. +- `10:58:00 UTC` — Reported the incident to npm security team and started deprecating affected packages as unpublishing is not allowed with dependent packages. +- `11:46:00 UTC` — Action taken by NPM security team to unpublish the malicious packages. +- `13:33:00 UTC` — Suspected leak found in [vs-asyncapi-preview](https://github.com/asyncapi/vs-asyncapi-preview), as malicious version (1.0.1) was pushed to [OpenVSX Registry](https://open-vsx.org/extension/asyncapi/asyncapi-preview) through report from [Yusuke Sugamiya](https://x.com/DNPP) +- `13:45:00 UTC` — Revoked OpenVSX token and reported to OpenVSX security team. +- `14:30:00 UTC` — OpenVSX team unpublished the malicious package version. +- `15:45:00 UTC` — Incident report writing started.
45-58: Add language specifier to fenced code block (MD040).The code block is missing a language identifier. Add
javascriptto specify the code language per markdownlint MD040.Apply this diff:
-``` +```javascript async ["bundleAssets"](_0x349b3d) {
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
markdown/blog/shai-hulud-postmortem.md(1 hunks)
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2024-10-18T17:24:45.053Z
Learnt from: anshgoyalevil
Repo: asyncapi/website PR: 3301
File: scripts/markdown/check-markdown.js:0-0
Timestamp: 2024-10-18T17:24:45.053Z
Learning: In `scripts/markdown/check-markdown.js`, the script is not run in an asynchronous environment, so refactoring it to use `async/await` is unnecessary.
Applied to files:
markdown/blog/shai-hulud-postmortem.md
📚 Learning: 2024-11-25T18:34:51.303Z
Learnt from: akshatnema
Repo: asyncapi/website PR: 3378
File: scripts/markdown/check-markdown.js:1-1
Timestamp: 2024-11-25T18:34:51.303Z
Learning: When reviewing `scripts/markdown/check-markdown.js`, optimizations should be addressed in separate issues and not included in the current pull request.
Applied to files:
markdown/blog/shai-hulud-postmortem.md
📚 Learning: 2025-01-19T04:51:41.255Z
Learnt from: anshgoyalevil
Repo: asyncapi/website PR: 3557
File: tests/fixtures/markdown/check-edit-links-data.js:3-11
Timestamp: 2025-01-19T04:51:41.255Z
Learning: In the AsyncAPI website repository, the test data in `tests/fixtures/markdown/check-edit-links-data.js` intentionally includes inconsistent paths (with and without 'docs' prefix) to verify the script's ability to normalize and handle ambiguous path structures.
Applied to files:
markdown/blog/shai-hulud-postmortem.md
🪛 LanguageTool
markdown/blog/shai-hulud-postmortem.md
[uncategorized] ~43-~43: The official name of this software platform is spelled with a capital “H”.
Context: ...syncapi-previewextension, which had anpm install github:asyncapi/cli#2efa4dff59bc3d3cecdf897ccf...
(GITHUB)
[uncategorized] ~75-~75: The official name of this software platform is spelled with a capital “H”.
Context: ...ocesses and infrastructure. - Publish a Github Security Advisory detailing the inciden...
(GITHUB)
[grammar] ~97-~97: Use a hyphen to join words.
Context: ...of failure. - Token rotation and limited scope tokens should be enforced. Our cur...
(QB_NEW_EN_HYPHEN)
🪛 markdownlint-cli2 (0.18.1)
markdown/blog/shai-hulud-postmortem.md
22-22: Emphasis used instead of a heading
(MD036, no-emphasis-as-heading)
23-23: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
25-25: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
26-26: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
27-27: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
28-28: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
29-29: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
30-30: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
31-31: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
32-32: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
33-33: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
45-45: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
thulieblack
changed the title
Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>
Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>
Updated the postmortem with corrected titles, dates, and improved clarity in the incident timeline and response sections.
Co-authored-by: Lukasz Gornicki <lpgornicki@gmail.com>
Clarified details about the attack chain and token security in the postmortem.
|
Also not sure why the tests are failing here |
Actionable comments posted: 0
♻️ Duplicate comments (4)
markdown/blog/shai-hulud-postmortem.md (4)
44-44: Add language specifier to fenced code block (MD040).The code block is missing a language identifier. Since this is JavaScript/Node.js code, specify the language as
javascript.Apply this diff:
-``` +```javascript async ["bundleAssets"](_0x349b3d) {
99-99: Add hyphen to compound adjective on line 99.Use a hyphen to join the compound adjective: "limited-scope tokens" (not "limited scope tokens").
Apply this diff:
-- Token rotation and limited scope tokens should be enforced. Our current NPM token is 3 years old. +- Token rotation and limited-scope tokens should be enforced. Our current NPM token is 3 years old.
42-42: Capitalize "GitHub" on line 42.The brand name should use proper capitalization. Change
npm install github:asyncapi/clitonpm install GitHub:asyncapi/cli.Apply this diff:
-One example of how this works was in v1.0.1 of `vs-asyncapi-preview` extension, which had an `npm install github:asyncapi/cli#2efa4dff59bc3d3cecdf897ccf178f99b115d63d` pointing to a [commit in a malicious fork](https://github.com/asyncapi/cli/commit/2efa4dff59bc3d3cecdf897ccf178f99b115d63d) which holds the above files. +One example of how this works was in v1.0.1 of `vs-asyncapi-preview` extension, which had an `npm install GitHub:asyncapi/cli#2efa4dff59bc3d3cecdf897ccf178f99b115d63d` pointing to a [commit in a malicious fork](https://github.com/asyncapi/cli/commit/2efa4dff59bc3d3cecdf897ccf178f99b115d63d) which holds the above files.
20-32: Fix markdown formatting in incident timeline (MD036, MD007).The timeline section has two formatting violations flagged by markdownlint:
- Line 22: The date should be a heading (
### Mon, 24 Nov 2025) rather than emphasis text.- Lines 23–32: Timeline items have 2-space indentation; they should have 0-space indentation (lists start at column 0).
Apply this diff:
## Incident Timeline - **Mon, 24 Nov 2025** - - `03:58:47 UTC` — Pushing of malicious package versions to the NPM registry. - - `10:02:00 UTC` — [Report by Charlie Eriksen](https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains) from Aikido about compromised packages. - - `10:32:00 UTC` — Acknowledgment of the issue by the AsyncAPI team, and communication initiated to inform the community. - - `10:42:00 UTC` — Initial investigation and revoking of NPM tokens. - - `10:58:00 UTC` — Reported the incident to the NPM security team and started deprecating affected packages, as unpublishing is not allowed with dependent packages. - - `11:46:00 UTC` — Action taken by the NPM security team to unpublish the malicious packages. - - `13:33:00 UTC` — Suspected leak found in [vs-asyncapi-preview](https://github.com/asyncapi/vs-asyncapi-preview), as malicious version (1.0.1) was pushed to [OpenVSX Registry](https://open-vsx.org/extension/asyncapi/asyncapi-preview) through report from [Yusuke Sugamiya](https://x.com/DNPP) - - `13:45:00 UTC` — Revoked OpenVSX token and reported to OpenVSX security team. - - `13:52:00 UTC` — OpenVSX team unpublished the malicious package version. - - `15:45:00 UTC` — Incident report writing started. +### Mon, 24 Nov 2025 +- `03:58:47 UTC` — Pushing of malicious package versions to the NPM registry. +- `10:02:00 UTC` — [Report by Charlie Eriksen](https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains) from Aikido about compromised packages. +- `10:32:00 UTC` — Acknowledgment of the issue by the AsyncAPI team, and communication initiated to inform the community. +- `10:42:00 UTC` — Initial investigation and revoking of NPM tokens. +- `10:58:00 UTC` — Reported the incident to the NPM security team and started deprecating affected packages, as unpublishing is not allowed with dependent packages. +- `11:46:00 UTC` — Action taken by the NPM security team to unpublish the malicious packages. +- `13:33:00 UTC` — Suspected leak found in [vs-asyncapi-preview](https://github.com/asyncapi/vs-asyncapi-preview), as malicious version (1.0.1) was pushed to [OpenVSX Registry](https://open-vsx.org/extension/asyncapi/asyncapi-preview) through report from [Yusuke Sugamiya](https://x.com/DNPP) +- `13:45:00 UTC` — Revoked OpenVSX token and reported to OpenVSX security team. +- `13:52:00 UTC` — OpenVSX team unpublished the malicious package version. +- `15:45:00 UTC` — Incident report writing started.
🧹 Nitpick comments (1)
markdown/blog/shai-hulud-postmortem.md (1)
100-100: Rephrase awkward phrasing on line 100."Got to know about" is colloquial; consider clearer phrasing such as "We discovered" or "We became aware of."
Apply this diff:
-- Got to know about a [workflow with unsecured context](https://github.com/asyncapi/cli/blob/master/.github/workflows/auto-changeset.yml) in GitHub Actions. Although it is not the root cause here, we have fixed it to avoid any future risks in [PR #1909](https://github.com/asyncapi/cli/pull/1909) +- We discovered a [workflow with unsecured context](https://github.com/asyncapi/cli/blob/master/.github/workflows/auto-changeset.yml) in GitHub Actions. Although it is not the root cause here, we have fixed it to avoid any future risks in [PR #1909](https://github.com/asyncapi/cli/pull/1909)
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
markdown/blog/shai-hulud-postmortem.md(1 hunks)
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2024-11-25T18:34:51.303Z
Learnt from: akshatnema
Repo: asyncapi/website PR: 3378
File: scripts/markdown/check-markdown.js:1-1
Timestamp: 2024-11-25T18:34:51.303Z
Learning: When reviewing `scripts/markdown/check-markdown.js`, optimizations should be addressed in separate issues and not included in the current pull request.
Applied to files:
markdown/blog/shai-hulud-postmortem.md
📚 Learning: 2024-10-18T17:24:45.053Z
Learnt from: anshgoyalevil
Repo: asyncapi/website PR: 3301
File: scripts/markdown/check-markdown.js:0-0
Timestamp: 2024-10-18T17:24:45.053Z
Learning: In `scripts/markdown/check-markdown.js`, the script is not run in an asynchronous environment, so refactoring it to use `async/await` is unnecessary.
Applied to files:
markdown/blog/shai-hulud-postmortem.md
📚 Learning: 2025-01-19T04:51:41.255Z
Learnt from: anshgoyalevil
Repo: asyncapi/website PR: 3557
File: tests/fixtures/markdown/check-edit-links-data.js:3-11
Timestamp: 2025-01-19T04:51:41.255Z
Learning: In the AsyncAPI website repository, the test data in `tests/fixtures/markdown/check-edit-links-data.js` intentionally includes inconsistent paths (with and without 'docs' prefix) to verify the script's ability to normalize and handle ambiguous path structures.
Applied to files:
markdown/blog/shai-hulud-postmortem.md
🪛 LanguageTool
markdown/blog/shai-hulud-postmortem.md
[uncategorized] ~42-~42: The official name of this software platform is spelled with a capital “H”.
Context: ...yncapi-previewextension, which had annpm install github:asyncapi/cli#2efa4dff59bc3d3cecdf897ccf...
(GITHUB)
[grammar] ~99-~99: Use a hyphen to join words.
Context: ...of failure. - Token rotation and limited scope tokens should be enforced. Our cur...
(QB_NEW_EN_HYPHEN)
🪛 markdownlint-cli2 (0.18.1)
markdown/blog/shai-hulud-postmortem.md
22-22: Emphasis used instead of a heading
(MD036, no-emphasis-as-heading)
23-23: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
24-24: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
25-25: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
26-26: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
27-27: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
28-28: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
29-29: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
30-30: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
31-31: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
32-32: Unordered list indentation
Expected: 0; Actual: 2
(MD007, ul-indent)
44-44: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🔇 Additional comments (3)
markdown/blog/shai-hulud-postmortem.md (3)
1-16: Frontmatter is properly structured.The metadata formatting looks good with valid YAML, all required fields, and proper author attribution.
82-90: User remediation guidance is clear and actionable.The affected user section provides straightforward, practical steps with proper formatting and helpful references.
103-103: Contact information is properly formatted.The security contact email at the end provides a clear way for readers to reach out with questions or concerns.
Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>
This test fails intermittently: https://github.com/asyncapi/website/blob/master/tests/index.test.ts#L42 |
|
/rtm |
5 participants
Description
Related issue(s)
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.