New workers.dev? New Subdomain? Audit Logs

I just checked my account audit logs and found a bunch of entries within the past hour that I didn’t do (knowingly).

  • Registered zoneless subdomain
  • Created workers.dev account named after my email
  • Created “Account”, which looks like DNS changes for workers.dev “acme-challenge”
  • Several “Create” and "Delete account for zone name ***.workers.dev
  • Ordered “certificate packs” for ***.workers.dev

I don’t have any workers deployed, it’s a free account, I’m the only user. I turned on bot-fight mode today, could that have triggered this?

I also changed password just in case, and logged out, which is shown in the logs but the activity continued.

  • New certificates from Sectigo for the ***.workers.dev zone.
  • DNS updates for workers.dev zone, something to do with _acme-challenge.***.workers.dev

What’s happening?

Seems I got a workers.dev account. Before I turned on botfight mode I had also checked the workers tab and clicked create worker. I just wanted to see the initial setting options and read about them, like you can in the various rules sections, but I did not submit or build anything.

Since I didn’t have a workers.dev account already it seems this was enough to get one created for me? I can’t figure out how else it happened, I didn’t do anything I haven’t done before, except that.

Hope that helps someone else who sees the same.

Im seeing this too and posted a similar question but not as descriptive. No idea what it is about but i havent seen it before.

Does the site speed test create these?

Hey i found more! Same myname.worker.dev, dns updates, _acme challenge thing…

But also look if you are using https dns lookups in your browser and have it set to strict - then check exceptions. My firefox install had an exception added to not do secure dns lookups for the myname.worker.dev

Cloudflare, if anyone can look at what the worker was doing or help explain it? Maybe its a feature? But as i see in logs that the changes supposedly came from me (user) and recorded 2 different IP addresses (and in those same logs above and below that are changes from me that I recognize and show the same IP over the last couple of weeks), i’m going to use that as grounds to worry about a malicious worker doing…

what could it be doing? Bypass ssl? man in the middle? serve files?