As more businesses rely on open-source software for mission-critical infrastructure, HackerOne, along with sponsors including Elastic, Facebook, Figma, GitHub, Shopify and TikTok, announced they are throwing a new round of resources behind an Internet Bug Bounty Program to lure threat hunters' attention to open-source supply chains. Following a spate of spectacular software supply-chain breaches, market leaders have decided to throw in some cash to fund the IBB to incentivize bug hunters to take a closer look at open-source code.
The vulnerabilities affect both Windows and Unix-based users, and if left unpatched, can be exploited by attackers to achieve arbitrary code execution on a system installing untrusted npm packages. On further review of the researchers' reports, GitHub security team found some more high-severity vulnerabilities in the aforementioned packages, affecting both Windows and Unix-based systems.
GitHub urges its user base to toggle on two-factor authentication after deprecating password-based authentication for Git operations. "If you have not done so already, please take this moment to enable 2FA for your GitHub account," the company's Chief Security Officer Mike Hanley said.
If your Git operations start failing on Friday, August 13 with GitHub, it may well be because you're still using password authentication - and you need to change that. In December, the source-code-hosting giant warned it will end password-based authentication for Git pushes and the like.
GitHub has announced today that account passwords will no longer be accepted for authenticating Git operations starting tomorrow. "Starting on August 13, 2021, at 09:00 PST, we will no longer accept account passwords when authenticating Git operations on GitHub.com," the company said.
The Open Source Security Foundation on Wednesday announced the availability of a new GitHub app that can be used to automatically and continuously enforce security best practices for GitHub projects. Allstar is a companion to Security Scorecards, an automated risk assessment tool for repositories and their dependencies that was also contributed by Google.
Google and the Open Source Security Foundation have released Allstar, an app that allows organizations / owners of GitHub repositories to set up security policy expectations for GitHub projects and to make sure that these policies are adhered to. "Allstar works by continuously checking expected GitHub API states and repository file contents against defined security policies and applying enforcement actions when expected states do not match the policies," OpenSSF's John Mertic explained.
A vulnerability in the GitHub Actions workflow for PyPI's source repository could be exploited to perform a malicious pull request and eventually execute arbitrary code on pypi.org, according to a warning from a Japanese security researcher. The workflow did not verify the pull request author, anyone could create a pull request with a specific name and have the workflow to process it.