Image for post
Image for post

Update: This is what our official response and mitigation strategy looks like Greenkeeper Verify

Last Friday I came home from a very nice evening out with friends. It was a bit earlier than usual, because I was about to go on a weekend trip to Hamburg with my partner the next morning at 7am.

I know I probably shouldn’t be doing this but I had one last look at my Twitter client, just to check if something important happened in my absence. And indeed, there was a suspicious tweet.

Where it a all began

Greenkeeper is a service I’m running together with my friends at The Neighbourhoodie. It works by sending pull requests to keep npm dependencies up to date. But the pull request in the tweet above didn’t look right, because the actual diff was total nonsense — there was no way it was coming from us. Was this screenshot just a weird way the Karma project was expressing their appreciation for the service? Not really — quickly I realized that someone created a GitHub account called “greenkeeperlo-bot”, which is the spitting image of our account “greenkeeperio-bot”, to send out spammy pull requests in our name. They had copied our avatar, pull request bodies, our commit message and branch naming pattern. The commits itself were faked by signing them of using our bot’s email address — a well known problem in how GitHub works. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store