About an hour ago, we noticed a compromise of the Julia CI infrastructure and were shortly thereafter contacted by a security researcher with further details. We have temporarily halted all CI services on JuliaLang and JuliaPackaging while we remediate this incident. At this time, we have no evidence of any malicious activity - however our review of relevant logs is still in progress. Unfortunately, recovery may take some time. We will keep you posted. Our apologies for the interruption.
We have partially restored CI services for Julia base. Yggdrasil CI services remain offline and will probably continue to be offline through tomorrow evening.
Hi, Is there going to be a write-up on this? I think there is a genuine interest in how this occurred and how it got solved. AI brings a lot of malicious power, which creeps up everywhere and fuels supply chain attacks. So having insight might help designing better Julia targeted risk controls.
We can certainly share more details. It may take a bit of time for us to properly write things up; presently our efforts are focused on restoring CI services.
Hi,
It’s been more than a week since the original announcement. Are you going to share more details soon? What is the impact of the compromise? Can I trust Julia binaries from the official website? What about binary/JLL packages?
We’re still working on this and will share more details upon completion. Automatic publication of nightly binaries is still paused (though we manually pushed a few in the past week). As stated in the original post, there is no indication of malicious activity.
Nightly binaries should start appearing automatically again for master. Release and PR binaries will need another couple days.