Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label GitHub. Show all posts
Vulnerabiliies
Cyber Security Cyberattacks GitHub Security Breach Supply Chain. CI/CD Vulnerabiliies

GitHub Action Security Breach Raises Concerns Over Supply Chain Risks

 


An attack of a cascading supply chain was recently triggered by the compromise of the GitHub action "reviewdog/action-setup@v1", which ultimately led to the security breach of the "tj-actions/changed-files" repository. As a result of this breach, unintended secrets about continuous integration and delivery were exposed, raising concerns about the integrity of software supply chains. 

There was a malicious code in the tj-actions/changed-files application last week, which introduced malicious code that was capable of extracting CI/CD secrets from the workflow logs and logging them within the log files. This incident affected approximately 23,000 repositories. Even though these logs were not accessible to the public, this exposure highlights significant security risks. In the case that the logs had become public, the attacker would have been able to gain unauthorized access to vital credentials.

Even though there has been an ongoing investigation into tj-actions/changed files, its developers have been unable to determine exactly how the attackers compromised GitHub's Personal Access Token (PAT) to gain access to critical data. For the unauthorized changes to be made, this token, which was used by an automated bot to modify code, appears to have played a pivotal role in the process. GitHub Actions and CI/CD pipelines need to be enhanced to prevent the spread of software supply chain vulnerabilities. This incident underscores the increasing threat of software supply chain vulnerabilities. 

A critical security breach has been identified in the widely used third-party GitHub Action, tj-actions/changed-files, that has been assigned the CVE-2025-30066 vulnerability. When a supply chain attack compromises the action that tracks file changes in pull requests and commits, it results in unauthorized disclosure of sensitive credentials since this action tracks file modifications. Among the secrets that were exposed were valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. 

A security patch was implemented in version 46.0.1 as a response to the incident to mitigate the risk associated with it. As a result of an updated analysis from March 19, 2025, security researchers have suggested that this breach may have been the result of a similar compromise of another GitHub action, reviewdog/action-setup@v1, identified as CVE-2025-30154 by security researchers. Considering the timing of both incidents and the growing threat landscape surrounding software supply chains, there is a strong likelihood that there is a connection between them. 

The developments highlighted in this article underscore the importance of conducting rigorous security audits and maintaining enhanced monitoring practices within the GitHub ecosystem to prevent future threats. In the recent past, there was a security breach affecting GitHub Action tj-actions/changed-files that exposed critical security vulnerabilities in software supply chains, emphasizing the risks associated with third-party dependencies in continuous integration/continuous delivery. 

Through GitHub Actions, a widely used automation platform, developers can optimize their workflows through reusable components, allowing them to save time and money. However, due to the compromise of tj-actions/changed-files—a tool that detects changes in files in pull requests and commits—over 23,000 repositories were accessed unauthorized, resulting in the theft of sensitive workflow secrets. A security researcher first noticed unusual activity related to the repository on March 14, 2025, which led to the discovery of the breach. 

A malicious payload has been injected into CI/CD runners in an attempt to extract CI/CD runner memory, which exposed critical environment variables and workflow secrets within logs, which were discovered to have been injected by the attackers. An exploit like this could result in unauthorized access to confidential credentials, thereby posing a significant security risk to the organization. Having been provided with a critical lead by security researcher Adnan Khan, it has been confirmed that the root cause of this compromise stems from another GitHub Action called reviewdog/action-setup, which an independent organization maintains. 

The investigation revealed that the tj-actions/changed-files action was compromised because it was dependent on the tj-actions/eslint-changed-files action, which was itself dependent on the reviewdog/action-setup action. In addition to the attack on the review dog organization, multiple activities were also affected within that organization, indicating that the attack was more widespread than that. Maintainers of TJ-actions and Review Dog quickly mitigated this incident by implementing security patches and reducing further risks. 

To counteract growing threats within software supply chains, continuous security monitoring, dependency validation, and rapid mitigation strategies must be implemented to protect continuous integration/continuous delivery pipelines from future attacks. Wiz, one of the leading security firms, recommended that developers evaluate their potential exposure by performing a GitHub query to determine if any references to reviewdog/action-setup@v1 were found in their repositories. 

As part of this process, it is important to determine if any of the projects might have been compromised by the recent supply chain compromise. It would be prudent to treat the detection of double-encoded base64 payloads within workflow logs as a confirmation of the leakage of sensitive information. If this happens, immediate remediation measures are required to prevent further security incidents. 

To reduce the risks associated with compromised actions, developers are advised to remove all references to these actions across branches, remove workflow logs that might contain exposed credentials, and rotate any potentially compromised secrets so that unauthorized access cannot occur. There is a need to take proactive security measures, such as pin GitHub Actions to specific commit hashes rather than version tags to reduce the probability that similar breaches will occur in the future. Furthermore, by utilizing GitHub's allow-listing feature, we can restrict unauthorized actions and enhance the security of our repositories. 

One must respond quickly to supply chain attacks, which may have far-reaching consequences as well as leak CI/CD secrets. Immediately following the breach, organizations must take steps to contain the breach, and they must develop long-term security strategies to protect themselves against future threats as well. The companies that are potentially impacted by this GitHub Actions supply chain attack should take immediate measures to protect their systems from further harm. To effectively counteract unauthorized access and further exploitation, all exposed secrets must be rotated. This is especially true for those secrets that were used between March 14 and March 15, 2025. 

Failure to replace compromised credentials could result in further exploitation. Further, security teams need to thoroughly review CI/CD workflows, paying close attention to unexpected outputs, particularly within the section on "changed files". There is a good chance that any anomalies may indicate an unauthorized modification or possible data leak. All workflow references should be updated to point to specific commit hashes rather than mutable tags so that they can be used to enhance security and mitigate the risk of a similar incident in the future. This will reduce the risk that attackers may inject malicious code into widely used GitHub Actions in the future. 

A robust security policy is also crucial for organizations. For this reason, organizations must utilize GitHub's allow-listing feature to restrict access to unauthorized actions, and they should conduct regular security audits of their third-party dependencies before integrating them into workflows. This kind of prevention measure can greatly reduce the chances of an attack on the supply chain or an unauthorized change in the source code. As a result of the recent breach, it has been highlighted how widely used automation tools are prone to vulnerabilities, which emphasizes the need to maintain continuous security monitoring and develop proactive defence strategies. 

Although some organizations, like Coinbase, successfully mitigated the impact of this incident, it serves as a reaffirmation that all organizations should continue strengthening their security postures and remain vigilant when it comes to evolving threats in the software industry. Recent information about a security breach with GitHub Actions confirms that the threats associated with supply chain attacks are continuing to grow in the modern software development industry. It has become increasingly important for organizations to enforce strong security frameworks for the sake of preventing cyber threats by implementing continuous monitoring mechanisms, thorough dependency audits, and enhanced access controls as cyber threats become more sophisticated. 

CI/CD pipelines need to be protected against unauthorized intrusions at all costs, and this incident highlights the urgency for proactive defense strategies to prevent this type of activity. Teams can mitigate vulnerabilities and ensure their workflows are protected by adopting secure coding best practices, enforcing strict authentication policies, and utilizing GitHub's security features, if they implement secure coding practices and enforce strict authentication policies. As software supply chain security has become a world-wide concern, maintaining vigilance and immediate response to incidents is crucial to ensuring operational integrity and resilience against evolving threats in an era when it has become paramount.
Read more »
Microsoft
Cyber Attacks GitHub Infostealer Malvertising Microsoft

Microsoft Warns of Malvertising Campaign Impacting Over 1 Million Devices Worldwide

 

Microsoft has revealed details of a large-scale malvertising campaign that is believed to have impacted over one million devices worldwide as part of an opportunistic attack aimed at stealing sensitive information. 

The tech giant, which discovered the activity in early December 2024, is tracking it under the broader Storm-0408 umbrella, which refers to a group of attackers known for distributing remote access or information-stealing malware via phishing, search engine optimisation (SEO), or malvertising.

"The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms," the Microsoft Threat Intelligence team stated. "The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.”

The campaign relied on GitHub to deliver initial access payloads, but payloads were also detected on Discord and Dropbox. The GitHub repositories were removed, but the number of such repositories was not disclosed. The Microsoft-owned code hosting service serves as a staging ground for dropper malware, which deploys a series of ads.

The Microsoft-owned code hosting site serves as a staging ground for dropper malware, which is in charge of launching a number of further programs such as Lumma Stealer and Doenerium, which can then collect system information. The assault also uses a sophisticated redirection chain with four to five layers, with the first redirector embedded in an iframe element on unlawful streaming websites that serve pirated content.

The entire infection sequence consists of several stages, including system discovery, information collecting, and the employment of follow-on payloads like NetSupport RAT and AutoIT scripts to assist more data theft. The remote access trojan also acts as a gateway for stealer malware. 

  • First stage: Establish a footing on target devices.
  • Second stage: system reconnaissance, collection, exfiltration, and payload delivery. 
  • Third stage: It involves command execution, payload delivery, defence evasion, persistence, command-and-control communications, and data exfiltration. 
  • Fourth stage: PowerShell script for configuring Microsoft Defender exclusions and running commands to download data from a remote server. 

Another feature of the assaults is the use of numerous PowerShell scripts to download NetSupport RAT, identify installed apps and security software, and scan for the presence of cryptocurrency wallets, which indicates possible financial data theft.

"Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host," Microsoft said. "The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials.” 

The disclosure comes after Kaspersky reported that fake websites masquerading as DeepSeek and Grok artificial intelligence (AI) chatbots are being used to lure users into installing a previously unknown Python information stealer.

DeekSeek-themed decoy sites promoted by verified accounts on X (e.g., @ColeAddisonTech, @gaurdevang2, and @saduq5) have also been used to run a PowerShell script that leverages SSH to enable attackers remote access to the machine. 

"Cybercriminals use various schemes to lure victims to malicious resources,' the Russian cybersecurity company noted. "Typically, links to such sites are distributed through messengers and social networks. Attackers may also use typosquatting or purchase ad traffic to malicious sites through numerous affiliate programs.”
Read more »
Social Engineering
Bots Gaming GitHub malware Redox Stealer Social Engineering

GitHub Scam: Fake Game Mods Steal User Credentials and Data


An advanced malware campaign exploiting GitHub repositories masked as game mods (and cracked software) has been found, revealing a risky blend of automated credential harvesting and social engineering tactics. 

While going through articles on social engineering, cybersecurity expert Tim found “a relatively new scam scheme” that shocked him. “People create thousands of GitHub repositories with all sorts of things - from Roblox and Fortnite mods to "cracked" FL Studio and Photoshop,” says Tim. 

About Redox stealer

Experts have found more than 1,100 dangerous repositories spreading versions of Redox stealer, a python-based malware built to extract important data, browser cookies, gaming platform credentials, and cryptocurrency wallet keys.

When we download and run this software, the data collected from our systems is sent to some Discord server, according to Tim, where “hundreds of people crawl through the data searching for crypto wallet private keys, bank accounts and social media credentials, and even Steam and Riot Games accounts.” 

Redox Stealer Details

Redox runs via a multi-stage data harvesting process that starts with system surveillance. Talking about the technical architecture of the redox stealer, cybersecurity news portal GB Hackers says, “Initial execution triggers a globalInfo() function that collects the victim’s IP address, geolocation via the geolocation-db.com API, and Windows username using os.getenv(‘USERNAME’).”

Issues with Mitigation and GitHub’s Response

Even with GitHub’s malware detection systems, repositories stay functional because:

  1. Activities look real: Accounts with star counts and realistic commit histories escape heuristic analysis. 
  2. Encrypted Payloads: RAR passwords like “cheats4u” stop static code analysis. 
  3. Slow Takedowns: Threat actors rebuild banned repositories via automated topic permutations. 

According to GB Hackers, “The researcher’s spreadsheet of confirmed malicious repos has not yet triggered bulk takedowns, highlighting gaps in proactive monitoring.” 

Conclusion

The GitHub campaign has exposed a significant rise in exploitation of open-source forums for large-scale social engineering. “It's been a long journey and it's barely over - but I think it's more than enough to summarise and discuss the problem,” says Tim. He finds it shocking how easily the information can be accessed online for free “without Tor, without invite, without anyone's approval.”

The information is cleverly disguised as something such as “telegram bot” that sends us offers (scams) or other lucrative baits. 

Read more »
Technology
Artificial Intelligence ChatGPT CyberCrime CyberThreat Cyersecurity GitHub Shadow AI Technology

Ensuring Governance and Control Over Shadow AI

 


AI has become almost ubiquitous in software development, as a GitHub survey shows, 92 per cent of developers in the United States use artificial intelligence as part of their everyday coding. This has led many individuals to participate in what is termed “shadow AI,” which involves leveraging the technology without the knowledge or approval of their organization’s Information Technology department and/or Chief Information Security Officer (CISO). 

This has increased their productivity. In light of this, it should not come as a surprise to learn that motivated employees will seek out the technology that can maximize their value potential as well as minimize repetitive tasks that interfere with more creative, challenging endeavours. It is not uncommon for companies to be curious about new technologies, especially those that can be used to make work easier and more efficient, such as artificial intelligence (AI) and automation tools. 

Despite the increasing amount of ingenuity, some companies remain reluctant to adopt technology at their first, or even second, glances. Nevertheless, resisting change does not necessarily mean employees will stop secretly using AI in a non-technical way, especially since tools such as Microsoft Copilot, ChatGPT, and Claude make these technologies more accessible to non-technical employees.

Known as shadow AI, shadow AI is a growing phenomenon that has gained popularity across many different sectors. There is a concept known as shadow AI, which is the use of artificial intelligence tools or systems without the official approval or oversight of the organization's information technology or security department. These tools are often adopted to solve immediate problems or boost efficiency within an organization. 

If these tools are not properly governed, they can lead to data breaches, legal violations, or regulatory non-compliance, which could pose significant risks to businesses. When Shadow AI is not properly managed, it can introduce vulnerabilities into users' infrastructure that can lead to unauthorized access to sensitive data. In a world where artificial intelligence is becoming increasingly ubiquitous, organizations should take proactive measures to make sure their operations are protected. 

Shadow generative AI poses specific and substantial risks to an organization's integrity and security, and poses significant threats to both of them. A non-regulated use of artificial intelligence can lead to decisions and actions that could undermine regulatory and corporate compliance. Particularly in industries with very strict data handling protocols, such as finance and healthcare, where strict data handling protocols are essential. 

As a result of the bias inherent in the training data, generative AI models can perpetuate these biases, generate outputs that breach copyrights, or generate code that violates licensing agreements. The untested code may cause the software to become unstable or error-prone, which can increase maintenance costs and cause operational disruptions. In addition, such code may contain undetected malicious elements, which increases the risk of data breach and system downtime, as well.

It is important to recognize that the mismanagement of Artificial Intelligence interactions in customer-facing applications can result in regulatory non-compliance, reputational damage, as well as ethical concerns, particularly when the outputs adversely impact the customer experience. Consequently, organization leaders must ensure that their organizations are protected from unintended and adverse consequences when utilizing generative AI by implementing robust governance measures to mitigate these risks. 

In recent years, AI technology, including generative and conversational AI, has seen incredible growth in popularity, leading to widespread grassroots adoption of these technologies. The accessibility of consumer-facing AI tools, which require little to no technical expertise, combined with a lack of formal AI governance, has enabled employees to utilize unvetted AI solutions, The 2025 CX Trends Report highlights a 250% year-over-year increase in shadow AI usage in some industries, exposing organizations to heightened risks related to data security, compliance, and business ethics. 

There are many reasons why employees turn to shadow AI for personal or team productivity enhancement because they are dissatisfied with their existing tools, because of the ease of access, and because they want to enhance the ability to accomplish specific tasks. In the future, this gap will grow as CX Traditionalists delay the development of AI solutions due to limitations in budget, a lack of knowledge, or an inability to get internal support from their teams. 

As a result, CX Trendsetters are taking steps to address this challenge by adopting approved artificial intelligence solutions like AI agents and customer experience automation, as well as ensuring the appropriate oversight and governance are in place. Identifying AI Implementations: CISOs and security teams, must determine who will be introducing AI throughout the software development lifecycle (SDLC), assess their security expertise, and evaluate the steps taken to minimize risks associated with AI deployment. 

In training programs, it is important to raise awareness among developers of the importance and potential of AI-assisted code as well as develop their skills to address these vulnerabilities. To identify vulnerable phases of the software development life cycle, the security team needs to analyze each phase of the SDLC and identify if any are vulnerable to unauthorized uses of AI. 

Fostering a Security-First Culture: By promoting a proactive protection mindset, organizations can reduce the need for reactive fixes by emphasizing the importance of securing their systems from the onset, thereby saving time and money. In addition to encouraging developers to prioritize safety and transparency over convenience, a robust security-first culture, backed by regular training, encourages a commitment to security. 

CISOs are responsible for identifying and managing risks associated with new tools and respecting decisions made based on thorough evaluations. This approach builds trust, ensures tools are properly vetted before deployment, and safeguards the company's reputation. Incentivizing Success: There is great value in having developers who contribute to bringing AI usage into compliance with their organizations. 

For this reason, these individuals should be promoted, challenged, and given measurable benchmarks to demonstrate their security skills and practices. As organizations reward these efforts, they create a culture in which AI deployment is considered a critical, marketable skill that can be acquired and maintained. If these strategies are implemented effectively, a CISO and development teams can collaborate to manage AI risks the right way, ensuring faster, safer, and more effective software production while avoiding the pitfalls caused by shadow AI. 

As an alternative to setting up sensitive alerts to make sure that confidential data isn't accidentally leaked, it is also possible to set up tools using artificial intelligence, for example, to help detect when a model of artificial intelligence incorrectly inputs or processes personal data, financial information, or other proprietary information. 

It is possible to identify and mitigate security breaches in real-time by providing real-time alerts in real-time, and by enabling management to reduce these breaches before they escalate into a full-blown security incident, adding a layer of security protection, in this way. 

When an API strategy is executed well, it is possible to give employees the freedom to use GenAI tools productively while safeguarding the company's data, ensuring that AI usage is aligned with internal policies, and protecting the company from fraud. To increase innovation and productivity, one must strike a balance between securing control and ensuring that security is not compromised.
Read more »
Web3
Bitcoin Bull Market Crypto GitHub Technology Trading Web3

Crypto Bull Market Targeted: The Lottie-Player Security Breach


In an alarming development for the tech community, especially for those immersed in the Web3 ecosystem, a supply chain attack has targeted the popular animation library, Lottie-Player. If users fall for this prompt, it could enable attackers to drain cryptocurrency wallets. 

Given Lottie-Player's impressive tally of over 4 million downloads and its significant presence on many prominent websites for animation embedding, this incident underscores the security vulnerabilities associated with open-source libraries.

Understanding the Attack

The breach initially came to light on GitHub when a user noticed an unusual Web3 wallet prompt while integrating Lottie-Player on their website. Upon closer examination, it was discovered that versions 2.0.5, 2.0.6, and 2.0.7 of Lottie-Player, released between 8:12 PM and 9:57 PM GMT on October 30, 2024, had been tampered with and compromised.

The attack involved the introduction of malicious code into three new versions of the Lottie-Player library, a widely used tool for rendering animations on websites and applications. Threat actors infiltrated the distribution chain, embedding code designed to steal cryptocurrencies from users' wallets. This method of attack is particularly insidious because it leverages the trust developers place in the libraries they use.

The Broader Implications

Once the compromised versions were released, they were integrated into numerous high-profile projects, unknowingly exposing countless users to the threat—the malicious code activated during transactions, redirecting funds to wallets controlled by the attackers. In one notable case, a user reportedly lost 10 Bitcoin (BTC), worth hundreds of thousands of dollars, due to a phishing transaction triggered by the malicious script.

Following the discovery of the attack, the Lottie-Player team swiftly released a clean version, 2.0.8, which developers can use to replace the compromised files. To further contain the breach and limit exposure, versions 2.0.5 through 2.0.7 were promptly removed from npm and CDN providers like unpkg and jsdelivr.

Moving Forward

The attack occurred during a pivotal phase of the crypto bull market, intensifying efforts to steal increasingly valuable tokens. To mitigate risks, it's advisable to connect a wallet only for specific purposes rather than granting full-time permissions for signing transactions. Additionally, being prompted to connect a wallet immediately upon entering a website can serve as a potential warning sign.

Read more »
Sophos report
BYOVD Attack Cyber Attacks EDR GitHub Malware Attack RansomHub Sophos Sophos report

RansomHub Deploys EDRKillShifter Malware to Disable Endpoint Detection Using BYOVD Attacks

 

Sophos security researchers have identified a new malware, dubbed EDRKillShifter, used by the RansomHub ransomware group to disable Endpoint Detection and Response (EDR) systems in attacks leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques. This method involves deploying a legitimate but vulnerable driver on a target device to gain escalated privileges, disable security measures, and take control of the system. 

The technique has gained popularity among various threat actors, including both financially motivated ransomware groups and state-sponsored hackers. The EDRKillShifter malware was discovered during an investigation of a ransomware incident in May 2024. The attackers tried to use this tool to disable Sophos protection on a targeted computer but were unsuccessful due to the endpoint agent’s CryptoGuard feature, which prevented the ransomware executable from running. Sophos’ investigation revealed two different malware samples, both exploiting vulnerable drivers with proof-of-concept code available on GitHub. These drivers include RentDrv2 and ThreatFireMonitor, the latter being part of an obsolete system-monitoring package. 

The malware’s loader execution process follows a three-step procedure. Initially, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which installs and exploits a vulnerable driver to elevate privileges and disable active EDR processes. Once the driver is loaded, the malware creates a service and enters an endless loop that continuously monitors and terminates processes matching names on a hardcoded target list. Interestingly, the EDRKillShifter variants discovered were compiled on computers with Russian localization, and they exploit legitimate but vulnerable drivers, using modified proof-of-concept exploits found on GitHub. 

Sophos suspects that the attackers adapted portions of these proofs-of-concept and ported the code to the Go programming language. To mitigate such threats, Sophos advises enabling tamper protection in endpoint security products, separating user and admin privileges to prevent the loading of vulnerable drivers, and keeping systems updated. Notably, Microsoft continually de-certifies signed drivers known to have been misused in previous attacks. Last year, Sophos identified another EDR-disabling malware, AuKill, which similarly exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.
Read more »
Ransomware
Data Breach DevSecOps GitHub GitLab Ransomware

DevSecOps Teams Face Regular Outages, Cyberattacks, and Data Breaches



The past year has seen a sharp rise in cyber attacks targeting popular DevOps platforms like GitHub, Bitbucket, GitLab, and Jira. These platforms, which are crucial for developers and IT operations teams, have faced growing threats that disrupt their services and put users at risk. The importance of securing the software development process at every stage cannot be emphasised enough. 

What is DevSecOps?

In response to the increasing complexity of cyber threats, many organisations are adopting a practice known as DevSecOps. This approach involves integrating security measures directly into the development process, rather than treating them as an afterthought. By doing so, security becomes a fundamental part of the software development lifecycle, ensuring that potential vulnerabilities are addressed early on. However, this shift also comes with challenges, as teams must be agile and proactive in adapting to new threats.

Cyber Incidents in 2023

In 2023, there was a noticeable increase in incidents that negatively affected the operation of DevOps services. GitHub, the largest of these platforms, experienced 13.94% of the reported incidents, while Bitbucket accounted for 8.33%, GitLab for 7.89%, and Jira for 4%. Most of these issues involved problems with key components that led to degraded performance and service disruptions.

One of the most alarming threats to GitHub in 2023 was the rise of a hacking method called "RepoJacking." This type of attack exposed millions of repositories to potential risks. Research indicated that as many as 9 million repositories on GitHub could be vulnerable to this kind of attack. Moreover, it was discovered that over 4,000 software packages were at risk, along with more than 15,000 Go module repositories.

Hackers also used GitHub as a platform to host malicious software. By taking advantage of GitHub's public services, attackers could create a cost-effective and reliable infrastructure for their activities, making it difficult for users to detect and respond to these threats. This method allowed hackers to retrieve malicious commands through seemingly legitimate interactions on GitHub, posing a significant risk to users' data.

Challenges Faced by Bitbucket, Jira, and GitLab

While Bitbucket saw a slight decrease in incidents in 2023, the difference was minimal, with only a 2.04% reduction compared to the previous year. Unfortunately, Jira experienced a 50% increase in incidents, with 75 recorded events, meaning users encountered an incident roughly every five days. Many of these issues were severe, involving vulnerabilities that could have serious consequences for users.

GitLab also faced challenges, with 32% of reported incidents impacting the platform's performance. This hindered users' ability to fully utilise the service. June and August were particularly problematic months for GitLab, with several events that disrupted services. In one instance, a sophisticated attack exploited a critical vulnerability (CVE-2021-22205), which could have led to ransomware attacks and data theft. GitLab's response highlighted the need for organisations to be prepared with robust security and disaster recovery plans.

The Importance of DevOps Security

One of the biggest challenges in DevOps security is ensuring that development and security teams work together effectively. Developers often focus on quickly pushing new software updates, while security teams prioritise finding and fixing vulnerabilities. Without a well-integrated security approach throughout the development process, organisations are at greater risk of cyberattacks, data breaches, and operational disruptions.

The increasing number of incidents affecting platforms like GitHub, GitLab, Bitbucket, and Jira serves as a wake-up call for organisations to strengthen their security practices. By embedding security into every stage of the development process and fostering collaboration among all teams, organisations can better protect their systems and data from cyber threats.

It’s crucial for organisations to prioritise security at every stage of software development. The challenges faced by major DevOps platforms in 2023 highlight the need for vigilance, collaboration, and proactive security measures to safeguard our digital infrastructure. By adopting a DevSecOps approach and integrating security from the start, organisations can better brace themselves.


 

Read more »
Vulnerabilities and Exploits
Account security Account Takeover BreachForums Dark Web Data Safety GitHub NPM Vulnerabilities and Exploits

Critical npm Account Takeover Vulnerability Sold on Dark Web

 

A cybercriminal known as Alderson1337 has emerged on BreachForums, offering a critical exploit targeting npm accounts. This vulnerability poses a significant threat to npm, a crucial package manager for JavaScript managed by npm, Inc., a subsidiary of GitHub. Alderson1337 claims this exploit can enable attackers to hijack npm accounts linked to specific employees within organizations. 

The method involves embedding undetectable backdoors into npm packages used by these employees, potentially compromising numerous devices upon updates. This exploit could have widespread implications for organizational security. Instead of sharing a proof of concept (PoC) publicly, Alderson1337 has invited interested buyers to contact him privately, aiming to maintain the exploit’s confidentiality and exclusivity. If executed successfully, this npm exploit could inject backdoors into npm packages, leading to extensive device compromise. 

However, npm has not yet issued an official statement, leaving the claims unverified. The incident primarily impacts npm Inc., with npmjs.com being the related website. While the potential repercussions are global, the specific industry impact remains undefined. Account takeover (ATO) vulnerabilities represent severe risks where cybercriminals gain unauthorized access to online accounts by exploiting stolen credentials. These credentials are often obtained through social engineering, data breaches, or phishing attacks. 

Once acquired, attackers use automated bots to test these credentials across various platforms, including travel, retail, finance, eCommerce, and social media sites. Users’ reluctance to update passwords and reusing them across different platforms increase the risk of credential stuffing and brute force attacks. Such practices allow attackers to access accounts, potentially leading to identity theft, financial fraud, or misuse of personal information. To mitigate ATO attack risks, experts recommend adopting strong password management practices, including using unique, complex passwords for each account and enabling two-factor authentication (2FA) wherever possible. Regular monitoring for unauthorized account activities and promptly responding to suspicious login attempts are also crucial for maintaining account security. 

While Alderson1337’s claims await verification, this incident underscores the ongoing challenges posed by account takeover vulnerabilities in today’s interconnected digital landscape. Vigilance and collaboration across the cybersecurity community are essential to mitigating these threats and preserving the integrity of online platforms and services.
Read more »
Vulnerabilities and Exploits
Bug Fixes CVE Reporting Developers GitHub Vulnerabilities and Exploits

Maintaining Sanity Amidst Unnecessary CVE Reports

Maintaining Sanity Amidst Unnecessary CVE Reports

Developers strive to maintain robust codebases, but occasionally, they encounter dubious or exaggerated reports that can disrupt their work. 

A recent incident involving the popular open-source project “ip” sheds light on the challenges faced by developers when dealing with Common Vulnerabilities and Exposures (CVEs).

The Growing Nuisance of Dubious CVE Reports in Open Source Projects

The famous open source project 'ip' just had its GitHub repository archived, or turned "read-only" by its creator.

Developer Fedor Indutny began to receive online harassment when a CVE complaint was submitted against his project, bringing the vulnerability to his attention.

Unfortunately, Indutny's condition is not isolated. Recently, open-source developers have seen an increase in dubious or, in some cases, completely false CVE reports made for their projects without confirmation.

This might cause unjustified concern among users of these projects, as well as alerts from security scanners, which can be a source of frustration for developers.

The “ip” Project and the Dubious CVE

Fedor Indutny, the creator, disputed the severity of the bug. He argued that the impact was minimal and that the reported vulnerability did not warrant a CVE. However, the process for disputing a CVE can be complex and time-consuming. 

Indutny decided to take a drastic step: he archived the “ip” repository on GitHub, making it read-only. This move was a clear expression of frustration and a signal that he would not tolerate unwarranted disruptions to his project.

The 'node-ip' project is listed on the npmjs.com registry as the 'ip' package, with 17 million downloads per week, making it one of the most popular IP address parsing utilities JavaScript developers use.

Indutny resorted to social media to express his reasons for archiving 'node-ip': 

“There is something that have been bothering me for past few months, and resulted in me archiving node-ip repo on github.Someone filed a dubious CVE about my npm package, and then I started getting messages from all people getting warnings from `npm audit`.”

The Challenge of Disputing a CVE

Disputing a CVE involves navigating a bureaucratic maze. Developers must provide evidence that the reported vulnerability is either invalid or less severe than initially assessed. Unfortunately, this process is not always straightforward. In the case of the “ip” project, Indutny’s efforts to revoke the CVE faced hurdles:

  • Severity Assessment: The initial severity assigned to the vulnerability was likely based on the worst-case scenario. However, Indutny argued that the real-world impact was minimal. Balancing severity with practical implications is a delicate task.
  • CVE Documentation: Properly documenting the dispute requires clear communication. Developers must provide detailed explanations, code samples, and any relevant context. This documentation is essential for CVE reviewers to reevaluate the issue.
  • Community Perception: Public perception matters. When a project receives a CVE, users may panic, assuming the worst. Even if the impact is minor, the mere existence of a CVE can create unnecessary anxiety.

GitHub’s Response and Recommendations

GitHub, the platform hosting the “ip” repository, adjusted the severity of the CVE after Indutny’s actions. They also recommended enabling private vulnerability reporting. This feature allows maintainers to receive vulnerability reports privately, assess them, and decide whether they warrant public disclosure. By doing so, maintainers can avoid unnecessary panic and focus on addressing legitimate issues.

Read more »
TRANSLATEXT
Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat GitHub JavaScript malware TRANSLATEXT

Kimsuky Unleashes TRANSLATEXT Malware on South Korean Academic Institutions

 


An investigation has found that a North Korea-linked threat actor, known as Kimsuky, has been involved in the use of a malicious Google Chrome extension to steal sensitive information to collect information as part of an ongoing intelligence collection effort. Observing the activity in early March 2024, Zscaler ThreatLabz has codenamed the extension TRANSLATEXT, emphasizing its ability to gather email addresses, usernames, passwords, cookies, and screenshots as well as its ability to gather this information. 

This targeted campaign is said to have targeted South Korean academia, specifically those focused on North Korean politics. There is a notorious North Korean hacker group known as Kimsuky that has been active since 2012, perpetrating cyber espionage and financial-motivated attacks against South Korean businesses. Kimsuky is widely known as a notorious hacker crew. In the remote server's PowerShell script, general information about the victim is uploaded as well as creating a Windows shortcut that enables a user to retrieve another script from the remote server through a PowerShell script. TRANSLATEXT's exact delivery method remains unclear, which makes it even more difficult for defenders to protect themselves from it. 

Despite this, Kimsuky is well known for utilizing sophisticated spear-phishing and social engineering attacks to trick the target into initiating the infection process. Two files appear to be connected to Korean military history when the attack begins, a ZIP archive that appears to contain two files, a Hangul Word Processor document and an executable file. Once the executable file has been launched, it retrieves a PowerShell script from the attacker's server. In addition to exporting the victim's information to a GitHub repository, this script also downloads additional PowerShell code via a Windows shortcut (LNK) file and executes it. 

It is clear from this multi-stage attack process that Kimsuky is an extremely sophisticated and well-planned operation. By using a familiar and seemingly legitimate document, the attackers decrease the chances of the targets being suspicious. As well as displaying an innovative method of blending malicious activities into regular internet traffic, GitHub is also utilized in the initial data export process, resulting in a much harder time finding and blocking malicious actions for traditional security systems. There are a few groups that are also associated with the Lazarus cluster or part of the Reconnaissance General Bureau (RGB). 

For instance, APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima are groups that are affiliated with the Lazarus cluster. There have been several incidents in the last few weeks in which the group has weaponized a vulnerability in Microsoft Office (CVE-2017-11882), distributed a keylogger, and used job-themed lures in attacks aiming at the aerospace and defence industries to drop an espionage tool that gathers data and executes secondary payloads. "The backdoor is unknown to the public and the attacker can conduct basic reconnaissance, drop additional payloads, and then take over or remotely control the computer." 

CyberArmor said. Despite Kimsuky's recent involvement in cyber espionage, it has given this campaign the name Niki. It is no secret that Kimsuky is not a new player. Since at least 2012, the group has been active and has developed a reputation for orchestrating cyber-espionage and financial-motivated attacks primarily on South Korean institutions, which has earned them a reputation as a notorious group. It has been reported that the group has stolen classified information, and committed financial fraud, and ransomware attacks. Throughout history, they have been one of the most formidable cyber threat actors associated with North Korea due to their adaptability and persistence. 

There is no doubt that Kimsuky is capable of blending cyber espionage with financially motivated operations, indicating a versatile approach to achieving the North Korean regime's objectives, whether they are to gather intelligence or generate revenue to support it. As of right now, it is not clear what is the exact mechanism for accessing the newly discovered activity, although it is known that the group is known for utilizing spear-phishing and social engineering attacks to launch the infection cycle. 

It is believed that the attack began with the delivery of a ZIP archive with the intent of containing Korean military history at the time, which contains two files: a word processor document in Hangul and an executable at the time of the attack. As soon as the executable is launched, a PowerShell script is extracted from a server controlled by the attacker that downloads additional PowerShell code with the aid of a Windows shortcut file (LNK) and creates a GitHub repository where the compromised victim's information is periodically uploaded. 

After the GitHub repository has been created, the attacker deletes the LNK file in question. This is the statement posted by Zscaler, a security company that found a GitHub account, created on February 13, 2024, that briefly hosted the TRANSLATEXT extension under the name "GoogleTranslate.crx," regardless of how it is distributed at the moment. TRANSLATEXT, which masquerades as Google Translate, incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver; siphon email addresses, credentials, and cookies; capture browser screenshots; and exfiltrate stolen data. It's also designed to fetch commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser, among others.
Read more »
Source Code
Data Breach GitHub New York Times Repository Source Code

New York Times Source Code Leaked Online


 

In January 2024, an exposed GitHub token led to a significant breach of The New York Times' repositories. The incident was initially identified and addressed swiftly by the company, but details have only recently emerged. The breach came to light after the stolen data was posted on the 4chan message board. An anonymous user shared a torrent link to a 273GB archive containing the pilfered data, marking one of the most substantial leaks in recent memory.

The leaked data includes around 5,000 repositories, comprising 3.6 million files. A notable portion of this data contains IT documentation, infrastructure tools, and a variety of source code. Among the stolen information is the source code for the popular game Wordle, which The New York Times acquired in 2022. The leak was first noticed by VX-Underground, a group known for monitoring and documenting malware samples and cybersecurity incidents.

The threat actor responsible for the leak reportedly accessed the repositories using an exposed GitHub token. This token granted them unauthorised access to the company’s code, enabling them to download and leak a vast amount of data. The breach's details were confirmed by The New York Times, which clarified that the exposed credentials were for a cloud-based third-party code platform, specifically GitHub.

The New York Times assured that the breach did not affect its internal corporate systems or its operations. In an official statement, the company highlighted that continuous monitoring for anomalous activity is part of their security measures. They emphasised that there was no indication of unauthorised access to Times-owned systems, underscoring their proactive approach in identifying and mitigating the breach promptly.

This leak is the second pressing incident disclosed on 4chan within the same week. Earlier, a leak involving 415MB of internal documents for Disney's Club Penguin game was reported. Sources indicate that this leak was part of a larger breach of Disney’s Confluence server, resulting in the theft of 2.5 GB of internal corporate data. It remains unclear if the same individual or group is responsible for both the New York Times and Disney breaches.

The breach of The New York Times' GitHub repositories stresses upon the importance of stringent digital security measures. As companies increasingly rely on cloud-based platforms for their operations, ensuring the security of access credentials and continuous monitoring for unauthorised activities are crucial steps in safeguarding sensitive information.


Read more »
Repository
cyber attack Cyber Attacks Data Extortion GitHub Gitloker Repository

New Extortion Scheme Targets GitHub Repositories


 

A new wave of cyberattacks is targeting GitHub repositories, wiping their contents, and demanding ransom from victims. This alarming campaign, first identified on Wednesday by Germán Fernández, a security researcher at Chilean cybersecurity firm CronUp, is being orchestrated by a threat actor using the handle "Gitloker" on Telegram.

The attackers are reportedly compromising GitHub accounts using stolen credentials. Once they gain access, they delete the contents of the repositories and create a backup of the data, which they claim can restore the deleted information. The compromised repositories are then renamed, and a single README.me file is added, instructing victims to contact the attackers via Telegram for further details.

Victims receive a ransom note that reads, "I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup." This message is intended to coerce the victims into engaging with the attackers in hopes of recovering their lost data.

GitHub has yet to release an official statement regarding the Gitloker extortion campaign. However, the platform has previously advised users to take several precautionary measures to secure their accounts. These include changing passwords, enabling two-factor authentication, adding a passkey for secure, passwordless login, and reviewing account security logs to track any changes in the repositories.

Security Recommendations

To protect against such malicious activities, GitHub users are encouraged to:

Enable Two-Factor Authentication: This adds an extra layer of security to prevent unauthorised access.

Review and Revoke Unauthorised Access: Regularly check for and remove any unauthorised SSH keys, deploy keys, and integrations.

Verify Email Addresses: Ensure all email addresses associated with the account are verified.

Monitor Security Logs: Keep an eye on account security logs to detect any suspicious activities.

Manage Webhooks and Deploy Keys: Regularly review and manage webhooks and deploy keys on repositories.

Review Recent Commits and Collaborators: Continuously check recent commits and collaborators for each repository to identify any unauthorised changes.

Previous Attacks on GitHub

This is not the first time GitHub users have faced such threats. In March 2020, hackers compromised Microsoft's GitHub account, stealing over 500GB of files from private repositories. While the stolen data primarily consisted of code samples and test projects, there was concern that private API keys or passwords might have been exposed.

Phishing Campaigns

In September 2020, GitHub users were targeted by a phishing campaign that used fake CircleCI notifications to steal GitHub credentials and two-factor authentication codes. Once compromised, attackers quickly exfiltrated data from private repositories and added new user accounts to maintain access.




Read more »
RCE
Cloud Platform Data Breach Data Leak GitHub RCE

Major Security Flaw Discovered in Popular Cloud Logging Tool

 



Researchers at Tenable have identified a severe memory corruption vulnerability in Fluent Bit, an open-source logging utility integral to major cloud services. With over 3 billion downloads as of 2022 and an additional 10 million deployments daily, Fluent Bit is a cornerstone of cloud infrastructure used by prominent organisations such as VMware, Cisco, Adobe, Walmart, LinkedIn, and cloud giants like AWS, Microsoft, and Google Cloud.

The issue, dubbed "Linguistic Lumberjack" by Tenable, stems from how Fluent Bit's embedded HTTP server handles trace requests. The vulnerability can be exploited to cause denial of service (DoS), data leaks, or even remote code execution (RCE) in cloud environments.

"While vulnerabilities in major cloud providers like Azure, AWS, and GCP grab headlines, it's crucial to scrutinise the underlying technologies these services rely on," says Jimi Sebree, senior staff research engineer at Tenable. "Critical components like Fluent Bit, which are embedded in many cloud services, pose significant risks if compromised."

Tenable's researchers stumbled upon this flaw while investigating another security issue in a cloud service. They discovered they could access various internal metrics and logging endpoints of the cloud service provider, which included Fluent Bit instances. This cross-tenant data leakage revealed a more profound problem.

The vulnerability lies in the /api/v1/traces endpoint of Fluent Bit's monitoring API. The service fails to validate data types properly, allowing attackers to input non-string values that cause memory corruption. By manipulating these inputs, attackers can crash the service and leak sensitive data. Although exploiting this for RCE would require sophisticated, targeted efforts, the potential for harm remains high.

The bug affects Fluent Bit versions 2.0.7 through 3.0.3 and is tracked under CVE-2024-4323, with critical CVSS scores exceeding 9.5 out of 10. After reporting the issue on April 30, Fluent Bit's developers promptly addressed it by validating input data types in the problematic endpoint. The fix was implemented in the project's main branch on GitHub by May 15.

Organisations using Fluent Bit are strongly advised to update their software to the latest version immediately. Alternatively, administrators should review and restrict access to Fluent Bit's monitoring API to authorised users only, or disable it entirely if feasible.

The discovery of this vulnerability accentuates the importance of scrutinising not just the cloud services themselves but also the foundational technologies they depend on. Ensuring the security of tools like Fluent Bit is vital for maintaining the integrity of cloud environments across industries.



Read more »
Threat Researchers
Cheat cryptocurrency Cyberattacks CyberCrime Cyberthreats GitHub Info-stealing JIT malware McAfee Passwords Threat Researchers

Information Stealer Malware Preys on Gamers via Deceptive Cheat Code Baits

 


There is a new info-stealing malware that appears as a cheat on a game called Cheat Lab, and it promises downloaders that if they convince their friends to download it too, they will receive a free copy. It is possible to harvest sensitive information from infected computers by using Redline malware, including passwords, cookies, autofill information, and cryptocurrency wallet information, which is one of the most powerful information-stealing malware programs. 

As a result of the malware's popularity among cybercriminals and its widespread distribution channels, it has become widespread. According to McAfee threat researchers, the new malware leverages Lua bytecode to evade detection. This makes it possible to inject malicious code into legitimate processes for stealth, while also benefiting from Just-In-Time compilations (JIT). 

Using a command and control server associated with the malware, the researchers link this variant to Redline, which has been linked to the malware for a long time. The tests BleepingComputer conducted revealed that the malware does not exhibit the typical behaviour associated with Redline, such as stealing browser information, saving passwords, and stealing cookies. 

Through a URL linked to Microsoft's 'vcpkg' GitHub repository, the malicious Redline payloads resemble demonstrations of cheating tools named "Cheat Lab" and "Cheater Pro". When the malware is executed, it unpacks two files, compiler.exe and lua51.dll, once the MSI installer is installed.  The malicious Lua bytecode is also dropped in a file called 'readme.txt'. 

The campaign uses an interesting lure to spread the malware even further by telling victims that if they convince their friends to install the cheating program, they will receive a free, fully licensed copy of the cheating program. As an added layer of legitimacy, the malware payload is distributed in the form of an uncompiled bytecode rather than an executable to avoid detection. 

To make sure that the malware is not detected, it comes in the form of an activation key included. Upon installation of the compiler.exe program, Lua bytecode is compiled and executed by it, and it also creates scheduled tasks that execute during system startup when the program is installed. The same executable also sets up persistence by creating scheduled tasks. 

McAfee reports that a fallback mechanism is used by the malware to persist the three files, copying them to a long random path under the program directory that the malware is active on the infected system, it will communicate with a C2 server and send screenshots and system information to the server, then wait for commands to be executed by the server on the host system. 

Even though it is unknown exactly how information thieves first infect computers, they are typically spread through malvertising, YouTube video descriptions, P2P downloads, and deceptive software download sites that can lead to infection. The Redline virus is a highly dangerous one, which is why users are urged not to use unsigned executables or download files from unreliable websites. 

As a result of this atta seemingly trustworthy programs, such as those found on Microsoft's GitHub, are at risk of infection by the Even though BleepingComputer contacted Microsoft about the executables that were distributed via its GitHub URLs, the company had not respond to the publication date.
Read more »
Threat Landscape
GitHub Malicious Payload malware Repository Scanning Threat Landscape

Hackers Use GitHub Search to Deliver Malware

 

Checkmarx, an application security firm, has discovered that threat actors are altering GitHub search results in order to infect developers with persistent malware.

As part of the campaign, attackers were seen developing fake repositories with popular names and themes, and then boosting their search ranks using automatic updates and fake ratings. 

To avoid detection, the threat actors concealed a harmful payload within Visual Studio project files, resulting in the execution of malware similar to Keyzetsu clipper that targets crypto wallets. The malware is installed continuously on Windows machines and is scheduled to be executed daily. 

The threat actors were observed leveraging GitHub Actions to automatically update the malicious repositories by making minor changes to a file titled 'log', which artificially enhances the repositories' visibility and the possibility of users accessing them. 

Furthermore, the attackers were detected adding fictitious stars to their repositories from various fake identities, tricking users into believing the repositories are popular and genuine. 

“Unsuspecting users, often drawn to the top search results and repositories with seemingly positive engagement, are more likely to click on these malicious repositories and use the code or tools they provide, unaware of the hidden dangers lurking within,” Checkmarx stated. 

The attackers inserted their malicious payload in a Visual Studio project file's pre-build event, causing it to be run automatically across the build process. The payload downloads additional content from certain URLs based on the victim's country, downloads encrypted files from the URLs, extracts and runs their content, and checks the system's IP address to see if it is in Russia. 

On April 3, the attackers began utilising a new URL that pointed to an archived executable file. To avoid detection by security solutions, they padded the executable with an abundance of zeros, preventing scanning.

"The results of our analysis of this malware suggest that the malware contains similarities to the 'Keyzetsu clipper' malware, a relatively new addition to the growing list of crypto wallet clippers commonly distributed through pirated software," Checkmarx said in a press release.

A scheduled task that points to an executable file shortcut is one way that malware tries to remain persistent. Several malicious repositories have received complaints from infected users, suggesting that Checkmarx's effort has been successful. 

In the aftermath of the XZ attack and many other recent incidents, it would be irresponsible for developers to rely solely on reputation as a metric when using open-source code. These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware,” Checkmarx added.
Read more »
Security
AI-powered tool auto-fixes vulnerabilities Code Code Scanning Autofix CodeQL coding Cyber Security GHAS GitHub GitHub Advanced Security GitHub Copilot JavaScript Security

GitHub Unveils AI-Driven Tool to Automatically Rectify Code Vulnerabilities

GitHub has unveiled a novel AI-driven feature aimed at expediting the resolution of vulnerabilities during the coding process. This new tool, named Code Scanning Autofix, is currently available in public beta and is automatically activated for all private repositories belonging to GitHub Advanced Security (GHAS) customers.

Utilizing the capabilities of GitHub Copilot and CodeQL, the feature is adept at handling over 90% of alert types in popular languages such as JavaScript, Typescript, Java, and Python.

Once activated, Code Scanning Autofix presents potential solutions that GitHub asserts can resolve more than two-thirds of identified vulnerabilities with minimal manual intervention. According to GitHub's representatives Pierre Tempel and Eric Tooley, upon detecting a vulnerability in a supported language, the tool suggests fixes accompanied by a natural language explanation and a code preview, offering developers the flexibility to accept, modify, or discard the suggestions.

The suggested fixes are not confined to the current file but can encompass modifications across multiple files and project dependencies. This approach holds the promise of substantially reducing the workload of security teams, allowing them to focus on bolstering organizational security rather than grappling with a constant influx of new vulnerabilities introduced during the development phase.

However, it is imperative for developers to independently verify the efficacy of the suggested fixes, as GitHub's AI-powered feature may only partially address security concerns or inadvertently disrupt the intended functionality of the code.

Tempel and Tooley emphasized that Code Scanning Autofix aids in mitigating the accumulation of "application security debt" by simplifying the process of addressing vulnerabilities during development. They likened its impact to GitHub Copilot's ability to alleviate developers from mundane tasks, allowing development teams to reclaim valuable time previously spent on remedial actions.

In the future, GitHub plans to expand language support, with forthcoming updates slated to include compatibility with C# and Go.

For further insights into the GitHub Copilot-powered code scanning autofix tool, interested parties can refer to GitHub's documentation website.

Additionally, the company recently implemented default push protection for all public repositories to prevent inadvertent exposure of sensitive information like access tokens and API keys during code updates.

This move comes in response to a notable issue in 2023, during which GitHub users inadvertently disclosed 12.8 million authentication and sensitive secrets across more than 3 million public repositories. These exposed credentials have been exploited in several high-impact breaches in recent years, as reported by BleepingComputer.

Read more »
Python-based Malware
Cyber Attacks Cyber Security Threats data security GitHub Open Source Python-based Malware

GitHub Under Siege: Unraveling the Ongoing Automated Attack on Open-Source Repositories

 

GitHub, a cornerstone for programmers worldwide, faces a severe threat as an unknown attacker deploys an automated assault, cloning and creating malicious code repositories. The attack, involving sophisticated obfuscation and social engineering, poses a significant challenge to GitHub's security infrastructure. 

An assailant employs an automated process to fork and clone existing repositories, concealing malicious code under seven layers of obfuscation. These rogue repositories closely mimic legitimate ones, contributing to the challenge of detection. Developers unknowingly forking affected repos unintentionally amplify the attack. 

Once a developer utilizes a compromised repository, a hidden payload begins unpacking layers of obfuscation, revealing malicious Python code and a binary executable. The code then initiates the collection of confidential data and login details, which are subsequently uploaded to a control server. Security provider Apiiro's research and data teams report a substantial surge in the attack since its inception in May of the previous year. 

While GitHub diligently removes affected repositories, its automation detection system struggles to catch all instances. With millions of uploaded or forked repositories, even a 1% miss-rate translates to potentially thousands of compromised repos still operational. Initially modest in scale, the attack has grown in size and sophistication, presenting challenges for GitHub's security measures. 

Researchers attribute the operation's success to GitHub's vast user base and the increasing complexity of the attack technique. The attack's intrigue lies in the fusion of sophisticated automated methods and exploiting simple human nature. While obfuscation techniques become more intricate, the attackers heavily rely on social engineering to confuse developers, compelling them to select the malicious code. 

This unintentional spread exacerbates the attack's impact and heightens the difficulty of detection. As of now, GitHub has not issued a direct comment on the ongoing attack. However, the platform released a general statement reassuring users of its commitment to security. The platform employs manual reviews, at-scale detection utilizing machine learning, and continuously evolves to counter adversarial attacks. 

GitHub's popularity as a vital resource for developers globally has inadvertently made it a target. The platform's open-source nature and extensive user base create vulnerabilities that attackers exploit. Resolving the issue entirely proves to be an uphill battle, with GitHub still grappling with the effectiveness of the assailant's methods. 

GitHub, a linchpin for the global programming community, faces a formidable challenge as an automated attack exploits its open-source framework and vast user base. The ongoing assault, characterized by sophisticated obfuscation and social engineering, underscores the complexities of securing such a widely used platform. GitHub's response and adaptation will be crucial in mitigating the impact and fortifying defenses against evolving cyber threats.
Read more »
Supply chain vulnerability
Cyber Security GitHub RepoJacking Supply chain vulnerability

GitHub Vulnerability Exposes Millions to RepoJacking Threat

A recent study conducted by Massachusetts-based cloud-native security firm Aqua has shed light on a concerning vulnerability present in millions of software repositories hosted on GitHub. This vulnerability, dubbed RepoJacking, poses a significant threat to repositories belonging to esteemed organizations like Google, Lyft, and numerous others. 

RepoJacking involves the exploitation of vulnerabilities within GitHub repositories, potentially allowing malicious actors to gain unauthorized access and manipulate the code stored within. This vulnerability could have far-reaching consequences, including the compromise of sensitive data, the introduction of malicious code, and the disruption of software development processes. 

What is GitHub Repository and What Does it Mean When a Hacker Has Control Over It? 

Think of GitHub repositories as digital filing cabinets where developers store their code and project files. These cabinets use a system called Git to track changes made to the code over time and allow multiple developers to collaborate on the same project. However, if a hacker gains control of a GitHub repository, it can spell trouble. 

They could sneak in harmful code, swipe important data, disrupt the project's progress, or trick other developers into using their compromised code. This could lead to serious security breaches, data leaks, and project delays. So, it becomes crucial for developers to safeguard their repositories and carefully manage who has access to them. 

Emerging Dependency Repository Hijacking (aka RepoJacking)

Supply chain vulnerability, also referred to as dependency repository hijacking (RepoJacking), poses a significant threat to software security. In this form of attack, malicious actors exploit previously owned organizations or user names to distribute compromised versions of software repositories. These altered repositories may contain hidden malware, allowing attackers to perform harmful actions on systems where the tainted software is installed. 

The vulnerability arises from a flaw in the process when a repository owner decides to change their username. Although a connection is created between the old and new usernames to ensure continuity for users relying on dependencies from the old repository, this connection can be exploited by anyone who claims the old username. This loophole enables the injection of malicious code into the repository without detection. 

This type of supply-chain attack has been observed since at least 2016, when a college student uploaded custom scripts to popular package repositories like RubyGems, PyPi, and NPM, posing as legitimate packages. This technique, known as typosquatting, takes advantage of users' mistakes when selecting package names. 

Similarly, in 2021, a researcher employed a technique called dependency confusion or namespace confusion attack to breach the networks of major companies such as Apple, Microsoft, and Tesla. This involved placing malicious code packages with the same names as genuine dependencies used by the targeted companies, allowing the counterfeit code to be automatically downloaded and installed by the companies' package managers.
Read more »
Subscribe to: Posts (Atom)