Security News
GitHub push protection - a security feature aimed at preventing secrets such as API keys or tokens getting accidentally leaked online - is being switched on by default for all public repositories.Since the beginning of this year, GitHub has detected over 1 million leaked secrets on public repositories, the company also shared.
GitHub on Thursday announced that it’s enabling secret scanning push protection by default for all pushes to public repositories. “This means that when a supported secret is detected in any push...
A malware distribution campaign that began last May with a handful of malicious software packages uploaded to the Python Package Index has spread to GitHub and expanded to reach at least 100,000 compromised repositories. According to security firm Apiiro, the campaign to poison code involves cloning legitimate repos, infecting them with malware loaders, uploading the altered files to GitHub under the same name, then forking the poisoned repo thousands of times and promoting the compromised code in forums and on social media channels.
GitHub has enabled push protection by default for all public repositories to prevent accidental exposure of secrets such as access tokens and API keys when pushing new code. Push protection proactively prevents leaks by scanning for secrets before 'git push' operations are accepted and blocking the commits when a secret is detected.
An "intricately designed" remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost. Written in C# and compatible with...
There is good news, however: high-severity security flaws in applications have decreased by half since 2016, indicating progress in software security practices and that speed of remediation has a material impact on critical security debt. The report reveals development teams that fix flaws the fastest reduce critical security debt by 75%-from 22.4% of applications to just over 5%. Moreover, these fast-acting teams are four times less likely to let critical security debt materialize in their applications in the first place.
A mishandled GitHub token gave unrestricted access to Mercedes-Benz's internal GitHub Enterprise Service, exposing source code to the public. On September 29, 2023, researchers at RedHunt Labs discovered a GitHub token in a public repository belonging to a Mercedez employee that gave access to the company's internal GitHub Enterprise Server.
Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed. The...
GitHub has revealed that it has rotated some keys in response to a security vulnerability that could be potentially exploited to gain access to credentials within a production container. The...
GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables. "On December 26, 2023, GitHub received a report through our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed access to credentials within a production container. We fixed this vulnerability on GitHub.com the same day and began rotating all potentially exposed credential," said Github VP and Deputy Chief Security Officer Jacob DePriest.