GitHub | Breaking Cybersecurity News | The Hacker News

GitHub has  announced  an improvement to its secret scanning feature that extends validity checks to popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack. Validity checks,  introduced  by the Microsoft subsidiary earlier this year, alert users whether exposed tokens found by  secret scanning  are active, thereby allowing for effective remediation measures. It was first enabled for GitHub tokens. The cloud-based code hosting and version control service said it intends to support more tokens in the future. To toggle the setting, enterprise or organization owners and repository administrators can head to Settings > Code security and analysis > Secret scanning and check the option "Automatically verify if a secret is valid by sending it to the relevant partner." Earlier this year, GitHub also  expanded  secret scanning alerts for all public repositories and announced the  availability of push protection  to help developers and maintainers pr

A new deceptive campaign has been observed hijacking GitHub accounts and committing malicious code disguised as Dependabot contributions with an aim to steal passwords from developers. "The malicious code exfiltrates the GitHub project's defined secrets to a malicious C2 server and modify any existing javascript files in the attacked project with a web-form password-stealer malware code effecting any end-user submitting its password in a web form," Checkmarx  said  in a technical report. The malware is also designed to capture GitHub secrets and variables to a remote server by means of a GitHub Action. The software supply chain security firm said it observed the atypical commits to hundreds of public and private GitHub repositories between July 8 and 11, 2023. It has emerged that the victims had their GitHub personal access tokens stolen and used by the threat actors to make falsified code commits to users' repositories by posing as Dependabot. Dependabot  is d

Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data. The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages. The repository, named " robust-models-transfer ," is no longer accessible. Prior to its takedown, it featured source code and machine learning models pertaining to a  2020 research paper   titled  "Do Adversarially Robust ImageNet Models Transfer Better?" "The exposure came as the result of an overly permissive  SAS token  – an Azure feature that allows users to share data in a manner that is both hard to track and hard to revoke," Wiz  said  in a report. The issue was reported to Microsoft on J

A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show. The flaw "could allow an attacker to exploit a race condition within GitHub's repository creation and username renaming operations," Checkmarx security researcher Elad Rapoport  said  in a technical report shared with The Hacker News. "Successful exploitation of this vulnerability impacts the open-source community by enabling the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub actions." Following responsible disclosure on March 1, 2023, the Microsoft-owned code hosting platform has addressed the issue as of September 1, 2023. Repojacking , short for  repository hijacking , is a technique where a threat actor is able to bypass a security mechanism called popular repository namespace retirement and ultimately control of a repository. What the protection measure does is preven

Millions of software repositories on GitHub are likely vulnerable to an attack called RepoJacking , a new study has revealed. This includes repositories from organizations such as Google, Lyft, and several others, Massachusetts-based cloud-native security firm Aqua  said  in a Wednesday report. The supply chain vulnerability, also known as dependency repository hijacking, is a  class of attacks  that makes it possible to take over retired organization or user names and publish trojanized versions of repositories to run malicious code. "When a repository owner changes their username, a link is created between the old name and the new name for anyone who downloads dependencies from the old repository," researchers Ilay Goldman and Yakir Kadkoda said. "However, it is possible for anyone to create the old username and break this link." Alternatively, a similar scenario could arise when a repository ownership is transferred to another user and the original account

At least half of dozen GitHub accounts from fake researchers associated with a fraudulent cybersecurity company have been observed pushing malicious repositories on the code hosting service. All seven repositories, which are still available as of writing, claim to be a proof-of-concept (PoC) exploit for purported zero-day flaws in Discord, Google Chrome, and Microsoft Exchange Server. VulnCheck, which discovered the activity,  said , "the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security." The cybersecurity firm said it first came across the rogue repositories in early May when they were observed releasing similar PoC exploits for zero-day bugs in Signal and WhatsApp. The repositories hosting the two PoCs have since been taken down. Besides sharing some of the purported findings on Tw

The most precious asset in today's information age is the secret safeguarded under lock and key. Regrettably, maintaining secrets has become increasingly challenging, as highlighted by the  2023 State of Secrets Sprawl  report, the largest analysis of public GitHub activity.  The report shows a  67% year-over-year increase  in the number of secrets found, with 10 million hard-coded secrets detected in 2022 alone. This alarming surge in secrets sprawl highlights  the need for action  and underscores the importance of secure software development. Secrets sprawl refers to secrets appearing in plaintext in various sources, such as source code, build scripts, infrastructure as code, logs, etc. While secrets like API tokens and private keys securely connect the components of the modern software supply chain, their widespread distribution among developers, machines, applications, and infrastructure systems heightens the likelihood of leaks. Cybersecurity Incidents Highlight the Danger

GitHub has announced the general availability of a new security feature called  push protection , which aims to prevent developers from inadvertently leaking keys and other secrets in their code. The Microsoft-owned cloud-based repository hosting platform, which began  testing the feature  a year ago, said it's also extending push protection to all public repositories at no extra cost. The functionality is designed to work hand-in-hand with the existing  secret scanning feature , which scans repositories for known secret formats to prevent their fraudulent use and avert potentially serious consequences. "Push protection prevents secret leaks without compromising the developer experience by scanning for highly identifiable secrets before they are committed," GitHub  said  earlier this week. "When a secret is detected in code, developers are prompted directly in their IDE or command line interface with remediation guidance to ensure that the secret is never expo

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors. Google-owned Mandiant, which is  tracking  the attack event under the moniker  UNC4736 ,  said  the incident marks the first time it has seen a "software supply chain attack lead to another software supply chain attack." The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it  emerged  that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer. "The malicious application next attempts to steal sensitive information from the victim user's web browser," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  said

The notorious North Korea-aligned state-sponsored actor known as the  Lazarus Group  has been attributed to a new campaign aimed at Linux users. The attacks are part of a persistent and long-running activity tracked under the name  Operation Dream Job , ESET said in a  new report  published today. The findings are crucial, not least because it marks the first publicly documented example of the adversary using Linux malware as part of this social engineering scheme. Operation Dream Job , also known as  DeathNote or NukeSped , refers to multiple attack waves wherein the group leverages fraudulent job offers as a lure to trick unsuspecting targets into downloading malware. It also  exhibits overlaps  with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star. The attack chain discovered by ESET is no different in that it delivers a fake HSBC job offer as a decoy within a ZIP archive file that's then used to launch a Linux backdoor named SimplexTea

Less than a month ago, Twitter indirectly acknowledged that some of its source code had been leaked on the code-sharing platform GitHub by sending a copyright infringement notice to take down the incriminated repository. The latter is now inaccessible, but according to the media, it was accessible to the public for several months. A user going by the name FreeSpeechEnthousiast committed thousands of documents belonging to the social media platform over several months.  While there is no concrete evidence to support this hypothesis, the timing of the leak and the ironic username used by the perpetrator suggest that the leak was a deliberate act aimed at causing harm to the company. Although it is still too early to measure the impact of this leak on the health of Twitter, this incident should be an opportunity for all software vendors to ask a simple question:  what if this happened to us? Protecting sensitive information in the software industry is becoming increasingly critical as

Cloud-based repository hosting service GitHub said it took the step of replacing its RSA SSH host key used to secure Git operations "out of an abundance of caution" after it was briefly exposed in a public repository. The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to have been undertaken as a measure to prevent any bad actor from impersonating the service or eavesdropping on users' operations over SSH. "This key does not grant access to GitHub's infrastructure or customer data," Mike Hanley, chief security officer and SVP of engineering at GitHub,  said  in a post. "This change only impacts Git operations over SSH using RSA." The move does not impact Web traffic to GitHub.com and Git operations performed via HTTPS. No change is required for ECDSA or Ed25519 users. The Microsoft-owned company said there is no evidence that the exposed SSH private key was exploited by adversaries. It did not disclose how long the se

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. As a result, the company is  taking the step  of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2. Versions 1.63.0 and 1.63.1 of Atom are also expected to stop working as of February 2, 2023, requiring that users downgrade to a  previous version  (1.60.0) of the source code editor. Atom was officially discontinued in December 2022. GitHub Desktop for Windows is not affected. The Microsoft-owned subsidiary said it detected unauthorized access to a set of repositories, including those from deprecated GitHub-owned organizations, used in the planning and development of GitHub Desktop and Atom on December 7, 2022. The repositories are said to have be

New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. GitHub Codespaces  is a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code. It also comes with a port forwarding feature that makes it possible to access a web application that's running on a particular port within the codespace directly from the browser on a local machine for testing and debugging purposes. "You can also forward a port manually, label forwarded ports, share forwarded ports with members of your organization, share forwarded ports publicly, and add forwarded ports to the codespace configuration," GitHub  explains  in its documentation. It's  important  to note here that any forwarded port that's made public will also permit any party with knowledge of the URL

A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN. The group "primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist  said . PURPLEURCHIN first came to light in October 2022 when Sysdig  disclosed  that the adversary created as many as 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to scale its operation. Now according to Unit 42, the cloud threat actor group created three to five GitHub accounts every minute at the height of its activity in November 2022, totally setting up over 130,000 bogus accounts across Heroku, Togglebox, and GitHub. More than 22,000 GitHub accounts are estimated to have been created between September and Novemb

Okta, a company that provides identity and access management services, disclosed on Wednesday that some of its source code repositories were accessed in an unauthorized manner earlier this month. "There is no impact to any customers, including any HIPAA, FedRAMP, or DoD customers," the company  said  in a public statement. "No action is required by customers." The security event, which was  first reported  by Bleeping Computer, involved unidentified threat actors gaining access to the Okta Workforce Identity Cloud ( WIC ) code repositories hosted on GitHub. The access was subsequently abused to copy the source code. The cloud-based identity management platform noted that it was alerted to the incident by Microsoft-owned GitHub in early December 2022. It also emphasized that the breach did not result in unauthorized access to customer data or the Okta service. Upon discovering the lapse, Okta said it placed temporary restrictions on repository access and that i

GitHub on Thursday said it is making available its secret scanning service to all public repositories on the code hosting platform for free. "Secret scanning alerts notify you directly about leaked secrets in your code," the company  said , adding it's expected to complete the rollout by the end of January 2023.  Secret scanning is  designed  to examine repositories for access tokens, private keys, credentials, API keys, and other secrets in  over 200 formats  that may have been accidentally committed, and generate alerts to prevent their misuse. The security option was previously limited to repositories owned by organizations that use GitHub Enterprise Cloud and have a GitHub Advanced Security license. For customers of GitHub Advanced Security, the  protections  go a step further by performing the scans for exposed secrets, including custom patterns,  during code pushes . The Microsoft subsidiary also said it's  planning  to turn on two-factor authentication

Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs. "Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Bräunlein,  said  in a report published on November 2, 2022. The Berlin-based cybersecurity firm said it started an investigation in the aftermath of a  notification  sent by GitHub in February 2022 to an unknown number of users about sharing their usernames and private repository names (i.e.,  GitHub Pages URLs ) to urlscan.io for metadata analysis as part of an automated process. Urlscan.io, which has been described as a  sandbox for the web , is  integrated  into several security solutions  via its API . "With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan o