Security News

Now available as a free GitHub App, NG SAST enables code analysis to be integrated into developer workflows in just a few clicks. Now that NG SAST is available through GitHub Marketplace, developers can make their own choices about which tools they adopt.

Ursem, self-appointed "Lamest hacker you know" found the leaked info in a simple search to see if someone "Is actually stupid enough to upload medical customer data to GitHub," he told DataBreach.net. The report describes one errant developer referred to as the "Typhoid Mary of Data Leaks" because of the multiple errors and repetition of these errors in his use of GitHub in relation to not just storage and management of medical data, but other files as well.

Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.

Solar Security has announced the release of a new version of its app security analyzer, Solar appScreener 3.6, which supports Pascal and features improved integration with GitLab, GitHub and Bitbucket code version management and storage systems. To meet international customers' needs, the new version of our app vulnerability and undocumented feature analyzer, Solar appScreener 3.6, now supports Pascal.

British infosec biz NCC Group has admitted to The Register that its internal training materials were leaked on GitHub - after folders purporting to help people pass the CREST pentest certification exams appeared in a couple of repositories. CREST offers a certification called CRT: CREST Registered Tester.

Automated code review tool provider DeepSource this week announced that it reset tokens, secrets, private keys, and employee credentials after being informed that its GitHub application was compromised. Designed to help developers identify security flaws, bug risks, and performance issues during code review, DeepSource also provides integration with GitHub to allow app authors get started with code analysis fast.

The Octopus Scanner malware, which targets the Apache NetBeans Java integrated development environment, has been nesting in at least 26 GitHub source-code repositories, according to researchers - waiting to take over developer machines. Once a developer does so, Octopus Scanner unfurls itself, first scanning the developer's computer for the presence of NetBeans.

In its write-up of the attack, the GitHub Security Labs team explains how the malware lurks in source code repositories uploaded to its site, activating when a developer downloads an infected repository and uses it to create a software program. Most of the variants that GitHub found in its scans also infect a project's source code, meaning that any other newly-infected projects mirrored to remote repositories would spread the malware further on GitHub.

GitHub revealed on Thursday that tens of open source NetBeans projects hosted on its platform were targeted by a piece of malware as part of what appears to be a supply chain attack. GitHub learned about the malware, which has been named Octopus Scanner, on March 9 from a security researcher who noticed that several repositories hosted on GitHub had been serving malware, likely without their owners' knowledge.

Hackers have broken into Microsoft's GitHub account and stolen 500 GB of data from the tech giant's own private repositories on the developer platform, according to published reports. In its latest hack, the group provided a screenshot to reporters at news site Hack Read that showed a list of private files from Microsoft's open-source developer repository to prove their infiltration of the company's private account.