This isn't the source of it. I came across this on Twitter last night and traced it back a bit to try to share "the original" with my colleagues. The earliest I found was https://x.com/cloud11665/status/1799136093071163396 which I think is slightly earlier than the second commit on this repo.

I don't think you can really trust commit history to deduce this:

- the history can be rewritten, with push --force. The author might have iterated by force pushing one commit

- The author could have discovered it by change in a private repository, or another repository that they deleted

Honestly, I doubt the author is playing the “deep game” of looking like they’re just messing around while secretly being a secret agent and (for some fathomless reason) making it look like it with an artificial git history.

So in general, yes, but in this case, I doubt it. I’m pretty sure this git history is a real and true log of them dicking about trying to get the exploit they saw on twitter working.

…but, I guess, you could be right. /shrug

I do occasionally force push myself, mostly for making my history look clean, not really secretly hiding stuff.

And if I had to tweak / study a GitHub exploit, I would definitely force push to try stuff without leaving a trail for meaningless commits.

It actually didn't occur to me that the author would do this for messing around, but it could be indeed. :-)

that was the first iteration of CSS injection that was working, that github then patched. The new one is the new iteration that still works

it was found by a bunch of anime-pfps on twitter and went "viral"

> it was found by a bunch of anime-pfps on twitter

I think you mean “infosec professional”

What does one's pfp matter, if what they found holds water?

In this case it adds to their credentials

What’s a pfp?

Profile picture