Security News

GitHub Announces Free Secret Scanning for All Public Repositories
2022-12-16 12:24

GitHub on Thursday said it is making available its secret scanning service to all public repositories on the code hosting platform for free. "Secret scanning alerts notify you directly about leaked secrets in your code," the company said, adding it's expected to complete the rollout by the end of January 2023.

GitHub to require all users to enable 2FA by the end of 2023
2022-12-15 20:16

GitHub will require all users who contribute code on the platform to enable two-factor authentication as an additional protection measure on their accounts by the end of 2023. Imposing 2FA as a mandatory measure for all GitHub accounts will make the platform a safer space where users can feel more confident about the quality of the code they download from repositories.

GitHub rolls out free secret scanning for all public repositories
2022-12-15 19:09

GitHub is rolling out support for the free scanning of exposed secrets to all public repositories on its code hosting platform. Secret scanning is a security option that organizations can enable for additional repository scanning to detect accidental exposure of known types of secrets.

Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver
2022-12-09 11:25

The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver...

GitHub sets up private vulnerability reports for public repos to avoid 'naming and shaming'
2022-11-14 22:00

GitHub is offering a scheme for security researchers to privately report vulnerabilities found in public repositories. Being able to privately report code flaws is important to researchers who are often left with choices that can lead to more security problems, GitHub said in a blog post.

Microsoft sued for open-source piracy through GitHub Copilot
2022-11-05 14:07

Programmer and lawyer Matthew Butterick has sued Microsoft, GitHub, and OpenAI, alleging that GitHub's Copilot violates the terms of open-source licenses and infringes the rights of programmers. GitHub Copilot, released in June 2022, is an AI-based programming aid that uses OpenAI Codex to generate real-time source code and function recommendations in Visual Studio.

Dropbox Breach: Hackers Unauthorizedly Accessed 130 GitHub Source Code Repositories
2022-11-02 07:10

File hosting service Dropbox on Tuesday disclosed that it was the victim of a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub."These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team," the company revealed in an advisory.

Dropbox admits 130 of its private GitHub repos were copied after phishing attack
2022-11-01 23:52

Dropbox has said it was successfully phished, resulting in someone copying 130 of its private GitHub code repositories and swiping some of its secret API credentials. GitHub let Dropbox know the next day, and the cloud storage outfit investigated.

Dropbox discloses breach after hacker stole 130 GitHub repositories
2022-11-01 21:15

Dropbox disclosed a security breach after threat actors stole 130 code repositories after gaining access to one of its GitHub accounts using employee credentials stolen in a phishing attack. "To date, our investigation has found that the code accessed by this threat actor contained some credentials-primarily, API keys-used by Dropbox developers," Dropbox revealed on Tuesday.

GitHub Repojacking Bug Could've Allowed Attackers to Takeover Other Users' Repositories
2022-10-31 09:17

Cloud-based repository hosting service GitHub has addressed a high-severity security flaw that could have been exploited to create malicious repositories and mount supply chain attacks. The RepoJacking technique, disclosed by Checkmarx, entails a bypass of a protection mechanism called popular repository namespace retirement, which aims to prevent developers from pulling unsafe repositories with the same name.