Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN110
_____________________________________________________________________

DATE                : 03/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running plone ecosystem software.

=====================================================================
https://community.plone.org/t/plone-security-advisory-20260116-attempted-code-insertions-into-github-pull-requests/22770
_____________________________________________________________________

 Plone Security Advisory 20260116 - Attempted code insertions into
Github pull requests

Announcements
Security
16 janv.


It has come to our attention that around the end of last week
(January 9th), a Github Member account has tried to sneak in malicious
code into our code base with several Pull Requests within the Plone
organisation. So far we found three instances where this happened,
but it was spotted before a merge could happen:

    https://github.com/plone/volto/pull/3444

    https://github.com/plone/volto/pull/7736

    https://github.com/plone/plonetheme.barceloneta/pull/428

The Security- and Admin-Teams took action and removed the malicious
account from the Plone Github organisation and reached out to the
account owner. From what we learned later, the account was compromised
using a stolen personal access token. The account owner did not act with
malicious intent, and was not aware of the situation.

It is possible and likely that the attacker inserted the malicious code
snippet in more PRs as well. Therefore we advise all maintainers of
packages within the plone, zopefoundation or collective GitHub
organisations to check even more carefully than normal the PRs (both
open and merged) on those repos for abnormal code or changes, for the
last two weeks: January 1 to January 14th.

Also as general advice, please enable 2-factor authentication (2FA) for
your GitHub account and keep any personal access tokens (PAT) as safe,
secure, time limited, AND specific in access permissions as possible.

(However, in specific cases the PAT could have been compromised and
stolen without further account access which is guarded by 2FA. This is
a risk of PATs that makes them convenient but allows access with a
single code).

....


27 janv.

Update: we have discovered more attempts from the same hacked account 
on the same date (January 7). These were less easily visible, because 
they were not done on branches that belong to pull requests.

Most important is a successful insertion of malicious code to the 
master branch of the plone.app.mosaic add-on, by editing and force 
pushing this commit. This has not made it into a release. But if you 
have been developing on the plone.app.mosaic code since then, you may 
be affected.

This instance, and all other instances that we have discovered, have 
been dealt with, either by undoing the malicious change, or by closing 
the branch/PR.

You should check your GitHub account to see if any Personal Access 
Tokens (PATs) are there that you don't recognise. Go to Settings, 
scroll down to Developer Settings, and there check the Personal access 
tokens. Delete ones that you don't recognise.

In general it seems wise to regularly check this, also on other 
(developer) sites that you may be using.

Today we have taken precautions on the GitHub plone org to prevent 
force pushes to default and maintenance branches and to tags. These 
precautions are active on all repositories. In many cases, individual 
repositories already had such branch protection rules in place, but 
not all of them.
Force pushing to feature branches (like for pull requests) is still 
possible, as this is a normal way to keep a clean git history. If you 
are reviewing a pull request, GitHub will show if a force push has 
happened. You should check if this is expected or not.

In the collective GitHub organisation we have no way to set these 
rules globally. If you have an add-on there that you feel responsible 
for, you should check if such branch protection rules are in place. If 
not, please add them.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================