Security News

GitHub Arctic Code Vault has likely captured sensitive patient medical records from multiple healthcare facilities in a data leak attributed to MedData. These rolls of films were then shipped off to the GitHub Arctic Code Vault, situated in a remote coal mine, deep under an Arctic mountain in Svalbard, Norway, which is relatively close to the North Pole.

The main code repository for PHP, which powers nearly 80 per cent of the internet, was breached to add malicious code and is now being moved to GitHub as a precaution. "Yesterday two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server," said PHP maintainer Nikita Popov, who works with the PHP team at JetBrains.

On Wednesday, shortly after security researcher Nguyen Jang posted a proof-of-concept exploit on GitHub that abuses a Microsoft Exchange vulnerability revealed earlier this month, GitHub, which is owned by Microsoft, removed code, to the alarm of security researchers. The bug, referred to as ProxyLogon, was one of four Microsoft Exchange zero-days that Microsoft patched in an out-of-band release on March 3, 2021.

GitHub on Monday informed users that it had discovered what it described as an "Extremely rare, but potentially serious" security bug related to how some authenticated sessions were handled. A second patch was released on March 8 and on the evening of the same day the company decided to invalidate all authenticated sessions to completely eliminate the possibility of exploitation.

Last night, GitHub automatically logged out many users by invalidating their GitHub.com sessions to protect user accounts against a potentially serious security vulnerability. The anomalous behavior stemmed from a rare race condition vulnerability in which a GitHub user's login session was misrouted to the web browser of another logged-in user, giving the latter an authenticated session cookie of and access to the former user's account.

Last night, GitHub automatically logged out many users by invalidating their GitHub.com sessions to protect user accounts against a potentially serious security vulnerability. The anomalous behavior stemmed from a rare race condition vulnerability in which a GitHub user's login session was misrouted to the web browser of another logged-in user, giving the latter an authenticated session cookie of and access to the former user's account.

If you visit GitHub today you'll be asked to authenticate anew because the code collaboration locker has squished a bug that sometimes "Misrouted a user's session to the browser of another authenticated user, giving them the valid and authenticated session cookie for another user." GitHub disclosed the problem today, explain that it could only happen under "Extremely rare circumstances" and "Occurred in fewer than 0.001% of authenticated sessions on GitHub.com."

Software development platform GitHub announced on Wednesday that it has hired Mike Hanley as its new Chief Security Officer. Hanley joins GitHub from Cisco, where he served as Chief Information Security Officer.

Software development platform GitHub announced on Wednesday that it has hired Mike Hanley as its new Chief Security Officer. Hanley joins GitHub from Cisco, where he served as Chief Information Security Officer for less than a year.

Reg reader Andy told us: "Got an email from SitePoint this morning saying that they had been hacked and some non-important stuff like names, email addresses, hashed passwords etc might have been stolen. Coincided with a big increase in spam that I've been getting but that's probably coincidence." An email sent to SitePoint users and seen by The Register confirmed the hack, though at the time of writing, the company has not published anything about it on its website or social media accounts.