Security News

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. The Microsoft-owned subsidiary said it detected unauthorized access to a set of deprecated repositories used in the planning and development of GitHub Desktop and Atom on December 7, 2022.

GitHub says unknown attackers have stolen encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories. GitHub has found no evidence that the password-protected certificates were used for malicious purposes.

Researchers have demonstrated how threat actors can abuse the GitHub Codespaces' port forwarding' feature to host and distribute malware and malicious scripts. In a new report by Trend Micro, researchers demonstrate how GitHub Codespaces can easily be configured to act as a web server for distributing malicious content while potentially avoiding detection as the traffic comes from Microsoft.

New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. "You can also forward a port manually, label forwarded ports, share forwarded ports with members of your organization, share forwarded ports publicly, and add forwarded ports to the codespace configuration," GitHub explains in its documentation.

GitHub has introduced a new option to set up code scanning for a repository known as "Default setup," designed to help developers configure it automatically with just a few clicks. While the CodeQL code analysis engine, which powers GitHub's code scanning, comes with support for many languages and compilers, the new option only shows up for Python, JavaScript, and Ruby repositories.

A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN. The group "Primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. PURPLEURCHIN first came to light in October 2022 when Sysdig disclosed that the adversary created as many as 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to scale its operation.

According to Palo Alto Networks Unit 42, the threat actors use a new CAPTCHA solving system, follow a more aggressive use of CPU resources for mining, and mixe 'freejacking' with the "Play and Run" technique to abuse free cloud resources. Whereas Sysdig identified 3,200 malicious accounts belonging to 'PurpleUrchin,' Unit 42 now reports that the threat actor has created and used over 130,000 accounts on the platforms since August 2019, when the first signs of its activities can be traced.

Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories. BleepingComputer has come across a security incident notice issued by Slack on December 31st, 2022.

Intruders copied source code belonging to Okta after breaching the identity management company's GitHub repositories. Okta was alerted by Microsoft-owned GitHub earlier this month of "Suspicious access" to its code repositories and determined that miscreants copied code associated with the company's Workforce Identity Cloud, an enterprise-facing access and identity management tool to enable workers and partners to work from anywhere.

Currently GitHub partners with service providers to flag leaked credentials on all public repos through its secret scanning partner program. Figure A. GitHub launched the secret scanning for public repositories as a beta this month.