Plone Security Advisory 20260116

Attempted code insertions into Github pull requests

Plone Security Advisory 20260116

It has come to our attention that around the end of last week (January 9th), a Github Member account has tried to sneak in malicious code into our code base with several Pull Requests within the Plone organisation. So far we found three instances where this happened, but it was spotted before a merge could happen:

• https://github.com/plone/volto/pull/3444
• https://github.com/plone/volto/pull/7736
• https://github.com/plone/plonetheme.barceloneta/pull/428

The Security- and Admin-Teams took action and removed the malicious account from the Plone Github organisation and reached out to the account owner. From what we learned later, the account was compromised using a stolen personal access token. The account owner did not act with malicious intent, and was not aware of the situation.

It is possible and likely that the attacker inserted the malicious code snippet in more PRs as well. Therefore we advise all maintainers of packages within the plone, zopefoundation or collective GitHub organisations to check even more carefully than normal the PRs (both open and merged) on those repos for abnormal code or changes, for the last two weeks: January 1 to January 14th.

Also as general advice, please enable 2-factor authentication (2FA) for your GitHub account and keep any personal access tokens (PAT) as safe, secure, time limited, AND specific in access permissions as possible.

(However, in specific cases the PAT could have been compromised and stolen without further account access which is guarded by 2FA. This is a risk of PATs that makes them convenient but allows access with a single code).