Security News > 2023 > September > GitHub repos bombarded by info-stealing commits masked as Dependabot
Hackers are breaching GitHub accounts and inserting malicious code disguised as Dependabot contributions to steal authentication secrets and passwords from developers.
The campaign unfolded in July 2023, when researchers discovered unusual commits on hundreds of public and private repositories forged to appear as Dependabot commits.
Dependabot is an automated tool provided by GitHub that scans projects for vulnerable dependencies and then automatically issues pull requests to install the updated versions.
As reported today by Checkmarx, these fake Dependabot contributions were made possible using stolen GitHub access tokens with the attackers' goal of injecting malicious code to steal the project's secrets.
The attack began with the attackers somehow obtaining their targets' personal GitHub access tokens, which Checkmarx has no insight into.
As many compromised tokens also granted access to private repositories, the attack affected both public and private GitHub repositories.