Security News

FYI: Data from deleted GitHub repos may not actually be deleted
2024-07-25 19:51

Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories and from deleted copies of repositories isn't necessarily deleted. The firm showed how one can fork a repository, commit data to it, delete the fork, and then access the supposedly deleted commit data via the original repository.

Researchers expose GitHub Actions workflows as risky and exploitable
2024-07-25 03:30

GitHub is an immensely popular platform, with over 100 million developers and over 90% of Fortune 100 companies utilizing it. Despite its widespread use, many GitHub Actions workflows remain insecure, often due to excessive privileges or high-risk dependencies.

Over 3,000 GitHub accounts used by malware distribution service
2024-07-24 21:58

Threat actors known as 'Stargazer Goblin' have created a malware Distribution-as-a-Service from over 3,000 fake accounts on GitHub that push information-stealing malware. The malware delivery service is called Stargazers Ghost Network and it utilizes GitHub repositories along with compromised WordPress sites to distribute password-protected archives that contain malware.

Network of ghost GitHub accounts successfully distributes malware
2024-07-24 14:28

Check Point researchers have unearthed an extensive network of GitHub accounts that they believe provides malware and phishing link Distribution-as-a-Service. Set up and operated by a threat group...

Most GitHub Actions workflows are insecure in some way
2024-07-17 03:00

The report found the GitHub Actions marketplace's security posture to be especially concerning, with most custom Actions not verified, maintained by one developer, or generating low-security scores based on OpenSSF Scorecard. Insecure GitHub Actions could allow attackers to compromise open-source and initiate supply chain attacks or use them as an initial attack vector into organizations that use GitHub.

GitHub Token Leak Exposes Python's Core Repositories to Potential Attacks
2024-07-15 16:18

Cybersecurity researchers said they discovered an accidentally leaked GitHub token that could have granted elevated access to the GitHub repositories of the Python language, Python Package Index, and the Python Software Foundation repositories. JFrog, which found the GitHub Personal Access Token, said the secret was leaked in a public Docker container hosted on Docker Hub.

Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories
2024-07-09 04:48

Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a "Complex and persistent" supply chain attack. As many as 68 packages have been linked to the campaign.

Dev rejects CVE severity, makes his GitHub repo read-only
2024-06-30 14:31

Fedor Indutny, due to a CVE report filed against his project, started getting hounded by people on the internet bringing the vulnerability to his attention. In recent times, open-source developers have been met with an uptick in receiving debatable or, in some cases, outright bogus CVE reports filed for their projects without confirmation.

Week in review: JetBrains GitHub plugin vulnerability, 20k FortiGate appliances compromised
2024-06-16 08:00

Users of JetBrains IDEs at risk of GitHub access token compromiseJetBrains has fixed a critical vulnerability that could expose users of its integrated development environments to GitHub access token compromise. AWS unveils new and improved security featuresAt its annual re:Inforce conference, Amazon Web Services has announced new and enhanced security features and tools.

New York Times warns freelancers of GitHub repo data breach
2024-06-13 19:52

The New York Times notified an undisclosed number of contributors that some of their sensitive personal information was stolen and leaked after its GitHub repositories were breached in January 2024. "The New York Times recently communicated to some of our contributors regarding an incident that resulted in the exposure of some of their personal information," a Times spokesperson told BleepingComputer.