Similar to a recently reported issue in GitHub, users can abuse the “comments” feature in GitLab to upload malware to any repository without the repository owner’s knowledge.
A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy.
Malicious software packages are found on public software repositories such as GitHub, PyPI and the npm registry seemingly every day. Attackers use a number of tricks to fool developers or systems into downloading them, or they simply compromise the package developer’s account and update the package with malware. Consequently, the security capabilities of public software […]
GitHub push protection – a security feature aimed at preventing secrets such as API keys or tokens getting accidentally leaked online – is being switched on by default for all public repositories. “This means that when a supported secret is detected in any push to a public repository, you will have the option to remove […]
Jan 11, 2024NewsroomCybersecurity / Software Security The ubiquity of GitHub in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as dead drop resolvers, command-and-control, and data exfiltration points. “Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network […]
The scam involved the developer downloading npm packages from a GitHub repository, which potentially allowed the attackers to gain access to his machine and drain his wallet.
GitHub is warning users that they must enable 2FA on their accounts or face limited functionality on the site. This requirement applies to users contributing code on GitHub and is aimed at protecting accounts from breaches and code alterations.
Sep 28, 2023THNSupply Chain / Malware A new malicious campaign has been observed hijacking GitHub accounts and committing malicious code disguised as Dependabot contributions with an aim to steal passwords from developers. “The malicious code exfiltrates the GitHub project’s defined secrets to a malicious C2 server and modify any existing javascript files in the attacked […]
The adoption of passkeys by GitHub, Microsoft, and Google, among other technology giants, demonstrates a growing trend toward using passkeys for secure authentication across platforms.
- 1
- 2