Initially reported at https://github.com/stripe/veneur/issues/1058. Since that report, the repository’s sidebar has been updated to no longer link to the uncontrolled domain. Many of the 179 forks of this repository still contain the link to the uncontrolled domain.
https://veneur.org
, which contained those instructions.https://veneur.org
domain appears to be no longer under Stripe’s control.https://veneur.org
, either because you are the current owner or you purchase the domain.https://veneur.org
, either because you are the current owner or you purchase the domain.https://veneur.org
website is linked to by an official, Stripe-controlled repository, there is a much greater likelihood that the attack will succeedd than if it had to operate on a different domain.https://veneur.org
link in the sidebar.Since I initially reported this issue in the Github repository, at https://github.com/stripe/veneur/issues/1058 , the sidebar has been edited to no longer link to https://veneur.org
. Many of the 179 forks of this repository still contain the link to the uncontrolled domain.
Initial report with images:
The link in the sidebar:
The contents of the website currently:
An attacker can easily impersonate Stripe, taking advantage of the fact that this website is linked to by an official Stripe-owned web page. They can use this as the beginning of a phishing or a supply-chain contamination attack targeting Stripe’s customers.