In January 2026, the Plone security team disclosed a security incident affecting the Plone GitHub organization, in which an attacker used force pushes to insert malicious JavaScript code into multiple repositories. The activity was traced back to a compromised contributor account that still retained write access despite long-term inactivity. The attacker leveraged force pushes to quietly overwrite commit history, making the malicious changes harder to detect through standard review processes.
The malicious code was deliberately obfuscated and hidden in build-related JavaScript files, targeting developers rather than end users. While most of the unauthorized changes were identified and reverted before widespread impact, at least one malicious commit reached a protected branch. The incident highlights the risks of stale contributor permissions, force-push allowances, and insufficient monitoring of repository events, reinforcing the importance of organization-wide branch protection and access hygiene in open-source projects.