Security News

GitHub rolling out two-factor authentication to millions of users
2023-03-10 01:47

Different 2FA choices, but biometrics and passkeys trump SMS. GitHub is also offering a preferred 2FA option for account login with a sudo prompt, allowing users to choose between time-based one-time passwords, SMS, security keys or GitHub Mobile. In a move toward closing loopholes to combat threat actors, GitHub expanded its secret scanning program last fall, allowing developers to track any publicly exposed secrets in their public GitHub repository.

GitHub to introduce mandatory 2FA authentication starting March 13
2023-03-09 17:01

Starting March 13, GitHub will gradually introduce the 2FA enrollment requirement to groups of developers and administrators, beginning with smaller groups. In case your account is selected for enrollment, you will receive a notification via email and see a banner on GitHub.com requesting you to enroll in 2FA. You will have a 45-day window to configure 2FA on your account, and before that date, you can continue to use GitHub as usual except for the occasional reminders.

GitHub makes 2FA mandatory next week for active developers
2023-03-09 17:00

GitHub will start requiring active developers to enable two-factor authentication on their accounts beginning next week, on March 13. The gradual rollout will start next week with GitHub reaching out to smaller groups of administrators and developers via email and will speed up as the end of the year approaches to ensure that onboarding is seamless and users have time to sort out any issues.

Massive GitHub analysis reveals 10 million secrets hidden in 1 billion commits
2023-03-09 05:30

GitGuardian scanned 1.027 billion new GitHub commits in 2022 and found 10,000,000 secrets occurrences. What is interesting beyond this ever-increasing number is that 1 code author out of 10 exposed a secret in 2022.

GitHub’s secret scanning alerts now available for all public repos
2023-03-01 17:33

GitHub has announced that its secret scanning alerts service is now generally available to all public repositories and can be enabled to detect leaked secrets across an entire publishing history.In December 2022, GitHub began rolling out a beta of a free secret scanning feature to all public repositories that scan for 200+ token formats to help developers find accidental public exposure of sensitive data.

GitHub Copilot update stops AI model from revealing secrets
2023-02-15 21:03

GitHub has updated the AI model of Copilot, a programming assistant that generates real-time source code and function recommendations in Visual Studio, and says it's now safer and more powerful. CoPilot will introduce a new paradigm called "Fill-In-the-Middle," which uses a library of known code suffixes and leaves a gap for the AI tool to fill, achieving better relevance and coherence with the rest of the project's code.

GitHub code-signing certificates stolen (but will be revoked this week)
2023-01-31 19:35

Simply put: someone used a pre-generated access code acquired from who-knows-where to leech the contents of various source code repositories that belonged to GitHub itself. In the case of stolen source code databases, whether they're stored on GitHub or elsewhere, there's always the risk that a private repository might include access credentials to other systems, or let cybercriminals get at code signing certificates that are used when actually building the software for public release.

GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom
2023-01-31 03:37

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. The Microsoft-owned subsidiary said it detected unauthorized access to a set of deprecated repositories used in the planning and development of GitHub Desktop and Atom on December 7, 2022.

GitHub revokes code signing certificates stolen in repo hack
2023-01-30 18:27

GitHub says unknown attackers have stolen encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories. GitHub has found no evidence that the password-protected certificates were used for malicious purposes.

Hackers can use GitHub Codespaces to host and deliver malware
2023-01-17 19:53

Researchers have demonstrated how threat actors can abuse the GitHub Codespaces' port forwarding' feature to host and distribute malware and malicious scripts. In a new report by Trend Micro, researchers demonstrate how GitHub Codespaces can easily be configured to act as a web server for distributing malicious content while potentially avoiding detection as the traffic comes from Microsoft.