Security News

Dropbox admits 130 of its private GitHub repos were copied after phishing attack
2022-11-01 23:52

Dropbox has said it was successfully phished, resulting in someone copying 130 of its private GitHub code repositories and swiping some of its secret API credentials. GitHub let Dropbox know the next day, and the cloud storage outfit investigated.

Dropbox discloses breach after hacker stole 130 GitHub repositories
2022-11-01 21:15

Dropbox disclosed a security breach after threat actors stole 130 code repositories after gaining access to one of its GitHub accounts using employee credentials stolen in a phishing attack. "To date, our investigation has found that the code accessed by this threat actor contained some credentials-primarily, API keys-used by Dropbox developers," Dropbox revealed on Tuesday.

GitHub Repojacking Bug Could've Allowed Attackers to Takeover Other Users' Repositories
2022-10-31 09:17

Cloud-based repository hosting service GitHub has addressed a high-severity security flaw that could have been exploited to create malicious repositories and mount supply chain attacks. The RepoJacking technique, disclosed by Checkmarx, entails a bypass of a protection mechanism called popular repository namespace retirement, which aims to prevent developers from pulling unsafe repositories with the same name.

Purpleurchin cryptocurrency miners spotted scouring free GitHub, Heroku accounts
2022-10-27 07:27

A stealthy cryptocurrency mining operation has been spotted using thousands of free accounts on GitHub, Heroku and other DevOps outfits to craft digital tokens. Sysdig estimated each of those 30 free GitHub accounts cost the Microsoft-owned giant $15 per month, and the free tier accounts from Heroku, Buddy and others cost providers between $7 and $10 per month.

Thousands of GitHub repositories deliver fake PoC exploits with malware
2022-10-23 15:15

Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw.

Toyota dev left key to customer info on public GitHub page for five years
2022-10-11 01:06

Toyota has admitted it put 296,019 email addresses and customer management numbers of folks who signed up for its T-Connect assistance website at risk of online theft by bungling its security. Once Toyota looked at that source code, the manufacturing giant realized this public-facing code repository contained an access key to a server that stored customer data.

Toyota discloses data leak after access key exposed on GitHub
2022-10-10 17:50

Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.

Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub
2022-10-03 21:47

Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. Last week, Vietnamese cybersecurity firm GTSC disclosed that some of their customers had been attacked using two new zero-day vulnerabilities in Microsoft Exchange.

Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts
2022-09-23 14:04

GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication codes by impersonating the CircleCI DevOps platform. The fraudulent messages claim to notify users that their CircleCI sessions have expired and that they should log in using GitHub credentials by clicking on a link.

Hackers stealing GitHub accounts using fake CircleCI notifications
2022-09-22 13:40

GitHub is warning of an ongoing phishing campaign that started on September 16 and is targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform. "While GitHub itself was not affected, the campaign has impacted many victim organizations," GitHub informs in an advisory on Wednesday.