Sep 11, 2025 - 5 ' read nixpkgs, nix, github-actions, vulnerabilitylast year at nixcon, me and my friend lexi gave a lightning talk about how we found a vulnerability in nixpkgs that would have allowed us to pwn pretty much the entire nix ecosystem and inject malicious code into nixpkgs. it only took us about a day from starting our search to reporting it and getting it fixed. since i unfortunately was too sick to attend this years nixcon, i thought it might be a good time to write up what we fo...