Security News

Automated code review tool provider DeepSource this week announced that it reset tokens, secrets, private keys, and employee credentials after being informed that its GitHub application was compromised. Designed to help developers identify security flaws, bug risks, and performance issues during code review, DeepSource also provides integration with GitHub to allow app authors get started with code analysis fast.

The Octopus Scanner malware, which targets the Apache NetBeans Java integrated development environment, has been nesting in at least 26 GitHub source-code repositories, according to researchers - waiting to take over developer machines. Once a developer does so, Octopus Scanner unfurls itself, first scanning the developer's computer for the presence of NetBeans.

In its write-up of the attack, the GitHub Security Labs team explains how the malware lurks in source code repositories uploaded to its site, activating when a developer downloads an infected repository and uses it to create a software program. Most of the variants that GitHub found in its scans also infect a project's source code, meaning that any other newly-infected projects mirrored to remote repositories would spread the malware further on GitHub.

GitHub revealed on Thursday that tens of open source NetBeans projects hosted on its platform were targeted by a piece of malware as part of what appears to be a supply chain attack. GitHub learned about the malware, which has been named Octopus Scanner, on March 9 from a security researcher who noticed that several repositories hosted on GitHub had been serving malware, likely without their owners' knowledge.

Hackers have broken into Microsoft's GitHub account and stolen 500 GB of data from the tech giant's own private repositories on the developer platform, according to published reports. In its latest hack, the group provided a screenshot to reporters at news site Hack Read that showed a list of private files from Microsoft's open-source developer repository to prove their infiltration of the company's private account.

Microsoft says it's investigating claims that its GitHub account has been hacked, and while some say the leaked files appear to be legitimate, it's unlikely that they contain any sensitive information. Data breach monitoring and prevention service Under the Breach reported on Thursday that a hacker claimed to have obtained 500 GB of source code from Microsoft's private GitHub repositories.

GitHub has made available two new security features for open and private repositories: code scanning and secret scanning. The code scanning feature, available for set up in every GitHub repository, is powered by CodeQL, a semantic code analysis engine that GitHub has made available last year.

Deque Systems, a leading software company specializing in digital accessibility, introduced axe Linter, an automated GitHub-based app which checks source code for common accessibility issues, automatically finding and suggesting fixes. Developers can supplement existing accessibility testing efforts by using axe Linter to catch accessibility problems early in the development process, significantly reducing future testing and remediation efforts.

The aim, said the code repo house, is to help developers suss out potential security vulnerabilities ahead of time, and to do so at a scale that will work for both small and large projects. The feature, based on the code-checking tools GitHub bought last year when it gobbled up UK-based Semmle, automatically graphs and scans code when a new push request is made and checks it for a number of common errors that can cause security vulnerabilities.

GitHub on Wednesday announced two new security features designed to help developers identify vulnerabilities and potential secrets in their code. These new security features, code scanning and secret scanning, are currently in beta.