Security News

GitHub, the ubiquitous host for software development and version control, is now supporting security keys when using Git over SSH. In a post on Monday, GitHub security engineer Kevin Jones said that this is the next step when it comes to increasing security and usability. These security keys, which include YubiKey, Thetis Fido U2F Security Key and Google Titan Security Keys, are easy to pop into your pocket and cart around between machines, with most connecting via USB, NFC or Bluetooth.

GitHub has added support for securing SSH Git operations using FIDO2 security keys for added protection from account takeover attempts. "Once generated, you add these new keys to your account just like any other SSH key," GitHub Senior Security Engineer Kevin Jones said.

Cloud comms platform Twilio has confirmed its private GitHub repositories were cloned after it became the latest casualty of the compromised credential-stealing Codecov script. Twilio said: "We have Codecov tools, including the Bash Uploader component, in use in a small number of our projects and CI pipelines." The company added that these particular projects were "Not in the critical path to providing updates or functionality to our communication APIs" and that it has "Remediated the potential exposure by thoroughly reviewing and rotating any potentially exposed credentials."

GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes. The community has been asked to provide feedback until June 1 on proposed clarifications regarding exploits and malware hosted on GitHub.

It turns out, this header, now being returned by GitHub sites, is actually meant for website owners to opt-out of Google FLoC tracking. BleepingComputer also noticed the entire github.com domain had this header set, indicating GitHub did not want its visitors to be included in Google FLoC's "Cohorts" when visiting any GitHub page.

It turns out, this header, now being returned by GitHub sites, is actually meant for website owners to opt-out of Google FLoC tracking. BleepingComputer also noticed the entire github.com domain had this header set, indicating GitHub did not want its visitors to be included in Google FLoC's "Cohorts" when visiting any GitHub page.

The Homebrew package manager for macOS and Linux has fixed an issue that could have been exploited by miscreants to run malicious code on people's computers. Specifically, the project's GitHub Actions setup could have been abused to sneak arbitrary Ruby code into its Cask repositories, security researcher RyotaK discovered and disclosed via HackerOne.

A researcher has disclosed the details of a series of vulnerabilities that could have been exploited by an attacker to access an organization's private pages on GitHub. GitHub Pages is a service that individuals and organizations can use to host websites.

GitHub Actions is currently being abused by attackers to mine cryptocurrency on GitHub's servers in an automated attack. This week, according to a Dutch security engineer Justin Perdok, attackers have targeted GitHub repositories that use GitHub Actions to mine cryptocurrency.

GitHub Actions is currently being abused by attackers to mine cryptocurrency on GitHub's servers in an automated attack. This week, according to a Dutch security engineer Justin Perdok, attackers have targeted GitHub repositories that use GitHub Actions to mine cryptocurrency.