Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Many security_advisory.published failing webhook events originating from similar npm packages #4578

Open
robase opened this issue Jul 4, 2024 · 1 comment

Comments

@robase
Copy link

robase commented Jul 4, 2024

My github org is currently receiving many webhooks of the security_advisory.published type. My understanding is that these advisories are general in nature and are not necessarily received due to a specific package being used within an org (please correct me if wrong).

The reason I'm raising this is that there appear to be many junk malware type advisories being pushed out through the database:

see: https://github.com/advisories?query=type%3Amalware

example advisory: GHSA-hh4g-p2q6-7fvj

image

These advisories would need to be reviewed before being sent out, is that correct? An interesting note is that these events are also all failing the X-Hub-Signature-256 check for the github app installed in my org receiving the webhook events

@robase robase changed the title Many security_advisory.published events originating from similar npm packages and failing Many security_advisory.published failing webhook events originating from similar npm packages Jul 4, 2024
@darakian
Copy link
Contributor

The npm malware advisories are correlated with malware takedowns performed by the npm team. The idea is to alert anyone who may have downloaded the malware before it got pulled from the npm registry. In that sense they are reviewed and not junk.

An interesting note is that these events are also all failing the X-Hub-Signature-256

That's certainly curious. I'll share that around 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants