JuliaHub notification spam?

nsajko · April 10, 2024, 1:48pm

I have two notifications on JuliaHub that don’t seem to relate to me at all. Both are from 7 Apr 2024. They look like this (SOME_USER and SOME_OTHER_USER are named something else in actuality):

‘SOME_USER+112’s project’ project’s permissions were updated; SOME_OTHER_USER@gmail.com got Editor access. Click here to review permissions.

‘SOME_USER+112’s project’ project’s permissions were updated; SOME_OTHER_USER@gmail.com got Reader access. Click here to review permissions.

Clicking on either notification leads to the project (SOME_USER+112’s project), which seems to be owned by SOME_USER+111.

I guess this is some kind of bug?

nsajko · August 9, 2024, 2:06pm

It happened again yesterday, I got a bunch of notifications that don’t seem to relate to me. Some of them seem to mention @carstenbauer. @mbauman would you be interested in a screenshot or something? This seems like it may be some kind of JuliaHub bug/information leak/hack?

mbauman · August 9, 2024, 3:08pm

These are notifications from a security bounty program and a JuliaHub security engineer. It’s something we’re actively tracking and working on — and hope to improve!