The exploit affects repository owners if they merge the malicious commit, their CI/CD pipeline gets infected, and their cloud credentials, SSH keys,GitHub tokens, and etc., are stolen. Anyone working on compromised repositories or using CI/CD variables could have their credentials exfiltrated. If you are not a repository owner or contributor to affected repos then your direct risk is likely low. The article lists 5,561 infected repositories, so if you don’t contribute to or use any of those repos (the full list was published by SafeDep), you’re fine.
Um, so, sorry for the potentially dumb question, but do I need to worry about this?
The exploit affects repository owners if they merge the malicious commit, their CI/CD pipeline gets infected, and their cloud credentials, SSH keys,GitHub tokens, and etc., are stolen. Anyone working on compromised repositories or using CI/CD variables could have their credentials exfiltrated. If you are not a repository owner or contributor to affected repos then your direct risk is likely low. The article lists 5,561 infected repositories, so if you don’t contribute to or use any of those repos (the full list was published by SafeDep), you’re fine.