Security News

A stealthy cryptocurrency mining operation has been spotted using thousands of free accounts on GitHub, Heroku and other DevOps outfits to craft digital tokens. Sysdig estimated each of those 30 free GitHub accounts cost the Microsoft-owned giant $15 per month, and the free tier accounts from Heroku, Buddy and others cost providers between $7 and $10 per month.

Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw.

Toyota has admitted it put 296,019 email addresses and customer management numbers of folks who signed up for its T-Connect assistance website at risk of online theft by bungling its security. Once Toyota looked at that source code, the manufacturing giant realized this public-facing code repository contained an access key to a server that stored customer data.

Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.

Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. Last week, Vietnamese cybersecurity firm GTSC disclosed that some of their customers had been attacked using two new zero-day vulnerabilities in Microsoft Exchange.

GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication codes by impersonating the CircleCI DevOps platform. The fraudulent messages claim to notify users that their CircleCI sessions have expired and that they should log in using GitHub credentials by clicking on a link.

GitHub is warning of an ongoing phishing campaign that started on September 16 and is targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform. "While GitHub itself was not affected, the campaign has impacted many victim organizations," GitHub informs in an advisory on Wednesday.

If we turn back the clock to five years ago, that's when Slack started leaking hashed passwords. If you're a Slack user, I would assume that if they didn't realise they were leaking hashed passwords for five years, maybe they didn't quite enumerate the list of people affected completely either.

Cloud-based code hosting platform GitHub has announced that it will now start sending Dependabot alerts for vulnerable GitHub Actions to help developers fix security issues in CI/CD workflows. GitHub Actions is a continuous integration and continuous delivery solution that enables users to automate the software build, test, and deployment pipeline.

GitHub to add non-essential cookies on marketing pages. "GitHub is introducing non-essential cookies on web pages that market our products to businesses," explains Olivia Holder, GitHub's Senior Privacy Counsel.