Supply-Chain Attack via Force Pushes on Plone GitHub Repositories (Campaign)

In January 2026 the Plone security team disclosed a supply-chain incident where an attacker who had access to a dormant contributor account used force-pushes to overwrite history and insert obfuscated malicious JavaScript into multiple repositories (primarily build-related files targeting developers). Most changes were detected and reverted, but at least one malicious commit reached a protected branch; the incident underscores risks from stale permissions, force-push allowances, and insufficient repository monitoring.