Security News

A newly discovered worm and botnet named Gitpaste-12 lives on GitHub and also uses Pastebin to host malicious code. The advanced malware comes equipped with reverse shell and crypto-mining capabilities and exploits over 12 known vulnerabilities, therefore the moniker.

GitHub's CEO has denied that the site's source code was posted to GitHub. News of the supposed leak and posting came from a site called Resynth that linked to a Wayback Machine snapshot of a GitHub repo that purported to be the work of GitHub CEO Nat Friedman and was labelled "This is GitHub.com and GitHub Enterprise."

Details on a vulnerability impacting GitHub Actions were made public this week by Google, following a 104-day disclosure deadline. The bug was identified by security researcher Felix Wilhelm of Google Project Zero, who reported it to GitHub on July 21.

This morning, GitHub's pristine layout vanished off of the repository, in what looks like a miss on the company's part in renewing an SSL certificate. The expired certificate prevented numerous resources like images, JavaScript, and CSS stylesheets from correctly loading on GitHub.

GitHub has issued a warning that accounts could be banned if they continue to upload content that was removed due to DMCA takedown notices. On October 23rd, 2020, GitHub removed the source code repositories for the popular video download tool called YouTube-dl after the Recording Industry Association of America, Inc. filed a DMCA infringement notice.

Users of the extremely popular YouTube-dl YouTube media downloader have flooded GitHub with new repositories containing the tool's source code after GitHub took down the project's repositories on Friday. On October 23, 2020, GitHub took down YouTube-dl's repositories due to a DMCA infringement notice filed by Recording Industry Association of America, an organization that represents the recording industry in the U.S. Before being removed, YouTube-dl's repo was in the top 40 most starred GitHub repositories with more than 72,000 stars, between Node.js and Kubernetes.

The Recording Industry Association of America, Inc. has taken down YouTube-dl's GitHub repositories using a DMCA takedown notice. Today, the RIAA took down the YouTube-dl GitHub repositories by filing a DMCA infringement notice with GitHub.

A security researcher says he has earned $20,000 for a high-severity GitHub Enterprise vulnerability that might have allowed an attacker to execute arbitrary commands. GitHub Enterprise, the on-premises version of GitHub.com, is designed to make it easier for large enterprise software development teams to collaborate.

"So much of the world's development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code," Grey Baker, GitHub's Senior Director of Product Management, told Help Net Security. The engine can analyze code written in C, C++, C#, Java, JavaScript, TypeScript, Python and Go, but since the Code Scanning feature built on the open SARIF standard, it can also work with third-party analysis engines available from the GitHub Marketplace.

DefenseCode Group has announced that DefenseCode's Static Application Security Testing ThunderScan solution is now available as a GitHub Action, offering security vulnerability analysis across 30+ languages providing detailed vulnerability reports integrated into GitHub. Coinciding with the launch of code scanning, DefenseCode Group has released a GitHub Action for the ThunderScan SAST solution.