Csound Csound-dev Csound-tekno Search About

[Csnd-dev] FYI: Security Issue on Github with my account

Date2026-07-08 01:57
FromSteven Yi
Subject[Csnd-dev] FYI: Security Issue on Github with my account
Hi All,

FYI: I found that a series of commits made to the web-ide project yesterday were attributed to my account, but I did not author them. They were clearly malicious, attempting to read secrets from the project. I revoked access tokens and ssh keys, and then force-pushed to remove the offending commits. Branch protection rules are now in place for web-ide.

I'm unsure if the breach involved an old access token, an SSH key, or was just a commit spoof. I think I've taken the necessary steps to prevent further issues, but if you see any strange commits attributed to my account, please let me know. 

Thanks,
Steven 

Date2026-07-08 09:22
FromVictor Lazzarini <000010b17ddd988e-dmarc-request@LISTSERV.HEANET.IE>
SubjectRe: [Csnd-dev] [EXTERNAL] [Csnd-dev] FYI: Security Issue on Github with my account
Should we tighten up security in all repos in the project?

Prof. Victor Lazzarini
Maynooth University
Ireland

> On 8 Jul 2026, at 01:57, Steven Yi  wrote:
>
> 
> Hi All,
>
> FYI: I found that a series of commits made to the web-ide project yesterday were attributed to my account, but I did not author them. They were clearly malicious, attempting to read secrets from the project. I revoked access tokens and ssh keys, and then force-pushed to remove the offending commits. Branch protection rules are now in place for web-ide.
>
> I'm unsure if the breach involved an old access token, an SSH key, or was just a commit spoof. I think I've taken the necessary steps to prevent further issues, but if you see any strange commits attributed to my account, please let me know.
>
> Thanks,
> Steven
The information contained in this email may be confidential and privileged. It is intended only for the addressee(s) stated above. If you are not an addressee any use, dissemination, distribution, publication or copying of the information contained in this email is strictly prohibited. If you have received this email in error, please immediately notify us by email at dataprotection@mu.ie and delete this email from your system.

Please note that Maynooth University is subject to Freedom of Information and Data Protection laws. We may be required to disclose the content of emails under the FOI Act 2014, the Data Protection Act 2018 or GDPR.

Is don seolaí / do na seolaithe thuasluaite amháin an ríomhphost seo. D’fhéadfadh an t-eolas atá ann a bheith rúnda agus faoi phribhléid. Mura seolaí tú, tá cosc iomlán ar aon eolas atá sa ríomhphost seo a úsáid, a scaipeadh, a dháileadh, a fhoilsiú nó a chóipeáil. Má fuair tú an ríomhphost seo trí thimpiste, cuir sin in iúl dúinn láithreach trí ríomhphost a chur chuig  dataprotection@mu.ie  agus scrios an ríomhphost seo ó do chóras.

Tabhair faoi deara go bhfuil Ollscoil Mhá Nuad faoi réir dhlíthe um Shaoráil Faisnéise agus um Chosaint Sonraí. D’fhéadfadh ceangal a bheith orainn ábhar ríomhphoist a nochtadh faoin Acht um Shaoráil Faisnéise 2014, faoin Acht um Chosaint Sonraí 2018 nó faoi GDPR.

Registered charity number 20037130



Date2026-07-08 15:24
FromSteven Yi
SubjectRe: [Csnd-dev] [EXTERNAL] [Csnd-dev] FYI: Security Issue on Github with my account
Although I think I've addressed the root cause, performing some security auditing probably wouldn't be a bad idea. 

On Wed, Jul 8, 2026 at 4:22 AM Victor Lazzarini <000010b17ddd988e-dmarc-request@listserv.heanet.ie> wrote:
Should we tighten up security in all repos in the project?

Prof. Victor Lazzarini
Maynooth University
Ireland

> On 8 Jul 2026, at 01:57, Steven Yi <stevenyi@gmail.com> wrote:
>
> 
> Hi All,
>
> FYI: I found that a series of commits made to the web-ide project yesterday were attributed to my account, but I did not author them. They were clearly malicious, attempting to read secrets from the project. I revoked access tokens and ssh keys, and then force-pushed to remove the offending commits. Branch protection rules are now in place for web-ide.
>
> I'm unsure if the breach involved an old access token, an SSH key, or was just a commit spoof. I think I've taken the necessary steps to prevent further issues, but if you see any strange commits attributed to my account, please let me know.
>
> Thanks,
> Steven
The information contained in this email may be confidential and privileged. It is intended only for the addressee(s) stated above. If you are not an addressee any use, dissemination, distribution, publication or copying of the information contained in this email is strictly prohibited. If you have received this email in error, please immediately notify us by email at dataprotection@mu.ie<mailto:dataprotection@mu.ie> and delete this email from your system.

Please note that Maynooth University is subject to Freedom of Information and Data Protection laws. We may be required to disclose the content of emails under the FOI Act 2014, the Data Protection Act 2018 or GDPR.

Is don seolaí / do na seolaithe thuasluaite amháin an ríomhphost seo. D’fhéadfadh an t-eolas atá ann a bheith rúnda agus faoi phribhléid. Mura seolaí tú, tá cosc iomlán ar aon eolas atá sa ríomhphost seo a úsáid, a scaipeadh, a dháileadh, a fhoilsiú nó a chóipeáil. Má fuair tú an ríomhphost seo trí thimpiste, cuir sin in iúl dúinn láithreach trí ríomhphost a chur chuig  dataprotection@mu.ie<mailto:dataprotection@mu.ie>  agus scrios an ríomhphost seo ó do chóras.

Tabhair faoi deara go bhfuil Ollscoil Mhá Nuad faoi réir dhlíthe um Shaoráil Faisnéise agus um Chosaint Sonraí. D’fhéadfadh ceangal a bheith orainn ábhar ríomhphoist a nochtadh faoin Acht um Shaoráil Faisnéise 2014, faoin Acht um Chosaint Sonraí 2018 nó faoi GDPR.

Registered charity number 20037130