Update: This is what our official response and mitigation strategy looks like Greenkeeper Verify
Last Friday I came home from a very nice evening out with friends. It was a bit earlier than usual, because I was about to go on a weekend trip to Hamburg with my partner the next morning at 7am.
I know I probably shouldn’t be doing this but I had one last look at my Twitter client, just to check if something important happened in my absence. And indeed, there was a suspicious tweet.
Greenkeeper is a service I’m running together with my friends at The Neighbourhoodie. It works by sending pull requests to keep npm dependencies up to date. But the pull request in the tweet above didn’t look right, because the actual diff was total nonsense — there was no way it was coming from us. Was this screenshot just a weird way the Karma project was expressing their appreciation for the service? Not really — quickly I realized that someone created a GitHub account called “greenkeeperlo-bot”, which is the spitting image of our account “greenkeeperio-bot”, to send out spammy pull requests in our name. They had copied our avatar, pull request bodies, our commit message and branch naming pattern. The commits itself were faked by signing them of using our bot’s email address — a well known problem in how GitHub works. …
Software releases are exciting for both package authors and users. The hard work of the past weeks is finally going to be manifested in this one shiny new version. All the to-do list items are crossed off, the tests are green, the release blogpost is ready. Soon it will be read and shared by thousands, Twitter is going to fill up with praise and cheering. Phew! Done! 💪🎉
The excitement of a release is an important factor to keep everyone involved in a project happy and motivated and it’s a lot of fun. …