GitHub says they found and patched a critical remote code execution bug in the git push pipeline in under two hours, and their investigation didn’t find any signs it was exploited.
“Patched in under two hours” reads like “we had a kill switch / containment lever” more than “we rewrote the world before the kettle boiled”, which is honestly what you want on something as spicy as git push.
The bit I’m squinting at is the “no exploitation” line. If the bug sits inside the push pipeline, your confidence is only as good as whatever telemetry lives outside it (runner/container exec, outbound network, odd child processes, that sort of thing). “We grepped logs for the payload and found nothing” is… fine, but it’s not the same as “we can rule it out”.
Did the blog post actually say what signals they correlated to get comfortable, or was it basically “we investigated and saw no evidence”? I’m genuinely not sure how you say that with a straight face unless you’ve got multiple independent trails.
“patched in under two hours” sounds like they had a kill switch already sitting there, because nobody is calmly redesigning a push pipeline that fast.
On the “no exploitation” bit, I’m only buying that if they can point to something more than logs. A count of matching pushes, plus independent signals like process exec, outbound traffic, or container lifetime, would actually move me. “We didn’t see anything obvious” is a much weaker sentence.
Did they say how they narrowed the affected set? That’s the part I’d want before I relax at all.
“patched in under two hours” could just be them flipping the pipeline into a more hermetic incident mode, not a kill switch per se — like forcing pushes onto a known-good worker image, read-only FS, or a no-outbound-egress profile they already had sitting around.
