Security News

GitHub push protection now on by default for public repositories
2024-03-04 14:10

GitHub push protection - a security feature aimed at preventing secrets such as API keys or tokens getting accidentally leaked online - is being switched on by default for all public repositories.Since the beginning of this year, GitHub has detected over 1 million leaked secrets on public repositories, the company also shared.

GitHub Rolls Out Default Secret Scanning Push Protection for Public Repositories
2024-03-01 05:29

GitHub on Thursday announced that it’s enabling secret scanning push protection by default for all pushes to public repositories. “This means that when a supported secret is detected in any push...

GitHub struggles to keep up with automated malicious forks
2024-03-01 00:45

A malware distribution campaign that began last May with a handful of malicious software packages uploaded to the Python Package Index has spread to GitHub and expanded to reach at least 100,000 compromised repositories. According to security firm Apiiro, the campaign to poison code involves cloning legitimate repos, infecting them with malware loaders, uploading the altered files to GitHub under the same name, then forking the poisoned repo thousands of times and promoting the compromised code in forums and on social media channels.

GitHub enables push protection by default to stop secrets leak
2024-02-29 18:57

GitHub has enabled push protection by default for all public repositories to prevent accidental exposure of secrets such as access tokens and API keys when pushing new code. Push protection proactively prevents leaks by scanning for secrets before 'git push' operations are accepted and blocking the commits when a secret is detected.

Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub
2024-02-27 12:56

An "intricately designed" remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost. Written in C# and compatible with...

36% of code generated by GitHub CoPilot contains security flaws
2024-02-20 04:30

There is good news, however: high-severity security flaws in applications have decreased by half since 2016, indicating progress in software security practices and that speed of remediation has a material impact on critical security debt. The report reveals development teams that fix flaws the fastest reduce critical security debt by 75%-from 22.4% of applications to just over 5%. Moreover, these fast-acting teams are four times less likely to let critical security debt materialize in their applications in the first place.

A mishandled GitHub token exposed Mercedes-Benz source code
2024-01-30 18:42

A mishandled GitHub token gave unrestricted access to Mercedes-Benz's internal GitHub Enterprise Service, exposing source code to the public. On September 29, 2023, researchers at RedHunt Labs discovered a GitHub token in a public repository belonging to a Mercedez employee that gave access to the company's internal GitHub Enterprise Server.

Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub
2024-01-23 14:19

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed. The...

GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials
2024-01-17 07:41

GitHub has revealed that it has rotated some keys in response to a security vulnerability that could be potentially exploited to gain access to credentials within a production container. The...

GitHub rotates keys to mitigate impact of credential-exposing flaw
2024-01-16 22:19

GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables. "On December 26, 2023, GitHub received a report through our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed access to credentials within a production container. We fixed this vulnerability on GitHub.com the same day and began rotating all potentially exposed credential," said Github VP and Deputy Chief Security Officer Jacob DePriest.