Code Room
On-callHardoc-g144
Subject Account takeoverLevel Senior–Staff~45 minCommon in Security interviewsIndustries Technology, Software development

Question

Your GitHub org alerts that a third-party CI app's OAuth token was used to clone 30 private repos from IPs in two countries overnight, and one repo's main branch got a force-push adding an obfuscated post-install script to a published npm package. The third-party CI vendor disclosed a breach of their token store yesterday. Several of your customers consume that npm package. The malicious version was published to the registry 6 hours ago and has ~200 downloads. How do you triage, contain, and remediate this supply-chain account-takeover?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.