GitHub on Thursday announced that it’s enabling secret scanning push protection by default for all pushes to public repositories. “This means that when a supported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you deem the secret safe, bypass […]
New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking. “More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes,” Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News. “More than 6,000 repositories were vulnerable to […]
A new deceptive campaign has been observed hijacking GitHub accounts and committing malicious code disguised as Dependabot contributions with an aim to steal passwords from developers. “The malicious code exfiltrates the GitHub project’s defined secrets to a malicious C2 server and modify any existing javascript files in the attacked project with a web-form password-stealer malware […]
A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show. The flaw “could allow an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations,” Checkmarx security researcher Elad Rapoport said in a technical report shared with The Hacker News. “Successful […]
GitHub announced that it suffered a security breach in which unauthorized individuals obtained access to specific development and release planning repositories and stole encrypted code-signing certificates for the Desktop and Atom applications. Hence, in order to avoid any potential misunderstandings, the company has made the decision to revoke the certificates exposed to public scrutiny. There […]
GitHub discovered illegal access to a collection of repositories on December 7, 2022. These repositories were used in the design and development of Atom and GitHub Desktop. A Personal Access Token (PAT) that was connected with a machine account was breached, which led to the cloning of the repositories belonging to our atom and desktop […]
On December 31st, Slack informed users about the issue. Slack said that it became aware of the suspicious behavior on December 29; thus, it is probable that the company just wanted to alert consumers about the situation as quickly as possible. According to the findings of the investigation, the perpetrators of the breach accessed confidential […]
Okta, a company that provides identity and access management services, disclosed on Wednesday that some of its source code repositories were accessed in an unauthorized manner earlier this month. “There is no impact to any customers, including any HIPAA, FedRAMP, or DoD customers,” the company said in a public statement. “No action is required by […]
An active malware campaign is targeting the Python Package Index (PyPI) and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains. The typosquatted Python packages all impersonate the popular requests library: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, […]
Cloud-based repository hosting service GitHub has addressed a high-severity security flaw that could have been exploited to create malicious repositories and mount supply chain attacks. The RepoJacking technique, disclosed by Checkmarx, entails a bypass of a protection mechanism called popular repository namespace retirement, which aims to prevent developers from pulling unsafe repositories with the same […]
A prototype version of the Package Analysis tool has been recently released by the Open Source Security Foundation (OpenSSF), and it is the first of its kind to be published. Using this tool, you can identify malicious attacks against open source registries in real-time and counter them. A short period of time after its release […]
In its latest security report, GitHub confirmed that a group of threat actors are using OAuth tokens from legitimate users to download information from private repositories. The campaign was detected a week ago and dozens of compromised repositories have already been seen, which were using OAuth applications maintained by Heroku and Travis-CI. Mike Hanley, GitHub’s […]
Researchers at security firm Sonatype have uncovered six malicious typosquatting packages in the official Python programming language’s PyPI repository, laced with cryptomining malware. Sonatype provides software supply chain automation services. The six packages were downloaded more than 5000 times. Sonatype security researchers wrote in their report that: “Our analysis tools are consistently catching and blocking counterfeit and […]
DumpTheGit DumpTheGit searches through public repositories to find sensitive information uploaded to the Github repositories. The tool will flag the matches for potentially sensitive files like credentials, secret keys, tokens, etc which have been accidentally uploaded by the developers. DumpTheGit just requires your Github Access Token to fetch the information. INSTALL Download the DumpTheGit repository into […]
GitHub undoubtedly has the most popular repositories in the coding world. It isn’t just a code hosting service which offers version control — it also serves a huge network of developers across the world. Currently, GitHub hosts over 30 million accounts, 2+ million organizations, and more than 96 million repositories, among which exist some of […]
According to cyber forensics course specialists, GitHub, open source software development platform, has been the target of a campaign of aggressive cyberattacks. During the attacks, the threat actors removed code repositories and demanded the developers a ransom in exchange for restoring the deleted code. The first reports indicate that the attack would have occurred during […]
The single most common causes of a broken Kali Linux installation are following unofficial advice, and particularly arbitrarily populating the system’s sources.list file with unofficial repositories. The following post aims to clarify what repositories should exist in sources.list, and when they should be used. Kali Repository It’s not just Kali Linux. A Linux repository is a storage location […]
With online streaming becoming popular by the day, there has been a rise in the portals and apps that allow you to stream content in a hassle-free manner. Now, to watch the content from different sources, you would need a centralized media player and this is where Kodi comes into the picture. Kodi has been […]
Microsoft has announced unlimited private repositories for all free members on GitHub. Previously, GitHub offered free accounts but the code had to be public. Those who wanted a private repository had to pay a sum for it. Now the code repository site has lifted off the limitation by allowing unlimited private projects with up to three collaborators. […]
Another sign that the user-controlled software repository should not be fully trusted One of the most popular Linux distros, Arch Linux, has extracted up to three user-controlled repository packages after it was discovered that they were hosting malicious code, as reported by experts in secure data destruction from the International Institute of Cyber Security. Arch Linux is […]
Another day, another data breach – This time, it is Linux distribution Gentoo whose GitHub mirror was compromised and content of repositories was modified by unknown hackers. According to the official statement by the organization, the hack attack took place on June 28th at 20:20 UTC. The exact extent of the attack is still unknown however […]