You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Circle CI has reported that on December 22, 2022 attackers had access to their systems and were potentially able to extract stored data, encrypted at rest, and — more importantly — encryption keys from any running system. As far as I'm aware, this potentially affects any environment variable secret that is stored in Circle CI.
Procedure
As a safety precaution, I'd like to make sure we invalidate and rotate every secret that is stored in Circle CI that affects this repository.
We have no reason to believe any secrets were actually exposed or compromised just yet, but there's no excuse for us not to proactively rotate them.
Note: The good news here is that the extension stores' publishing process is "sluggish", meaning, that we have a bit of time to rotate the secrets. The npm token's origin and access is probably more worrying.
These secrets should be invalidated as soon as possible.
I don't know where the npm_TOKEN comes from (ending in d33a). It may still be an access token by @andyrichardson and not granular. In case it is granular, I've disabled publishing via access tokens entirely temporarily (npm > Publishing access > "Require two-factor authentication and disallow tokens"), however, I believe granular tokens on npm are new (as of end of 2022) and hence the token may have access to all of Andy's packages 😅
Alright, I can take care of the extensions keys on Monday. I've got the login credentials for Firefox & Chrome in a 1Password vault, so I'll be able to go in and rotate them.
See for Incident Report
Related: urql-graphql/urql#2927
Summary
Circle CI has reported that on December 22, 2022 attackers had access to their systems and were potentially able to extract stored data, encrypted at rest, and — more importantly — encryption keys from any running system. As far as I'm aware, this potentially affects any environment variable secret that is stored in Circle CI.
Procedure
As a safety precaution, I'd like to make sure we invalidate and rotate every secret that is stored in Circle CI that affects this repository.
We have no reason to believe any secrets were actually exposed or compromised just yet, but there's no excuse for us not to proactively rotate them.
Task
This repository is and has used Circle CI actively. The configuration file can be found here: https://github.com/urql-graphql/urql-devtools/blob/4e7f7f6366984595cd119788d05107b382dbaba6/.circleci/config.yml (Last updated: Mar 18, 2022)
The secrets listed in this file are:
CLIENT_SECRET
(Chrome extension publishing secret)FIREFOX_API_SECRET
(Firefox extension publishing secret)REFRESH_TOKEN
(Chrome store API key)npm_TOKEN
(HIGH RISK, npm publishing token)Note: The good news here is that the extension stores' publishing process is "sluggish", meaning, that we have a bit of time to rotate the secrets. The npm token's origin and access is probably more worrying.
These secrets should be invalidated as soon as possible.
cc @JoviDeCroock @gksander @andyrichardson @ryan-roemer
The text was updated successfully, but these errors were encountered: