Search Results: GitHubSecurity

Attackers exploited GitHub's notification system to send fraudulent Y Combinator funding invitations to developers, deploying cryptocurrency drainers via typosquatted domains. The campaign abused repository issue tagging to deliver seemingly legitimate emails, ultimately tricking victims into signing malicious Ethereum transactions. This incident highlights evolving supply chain risks targeting developers through trusted platforms.

Malicious actors are exploiting GitHub's trusted reputation to distribute macOS malware through SEO-optimized fake repositories. These attacks use encoded terminal commands, VM detection evasion, and fake installers to bypass security measures. The incident highlights growing supply chain risks in open-source ecosystems.

A new supply chain attack dubbed 'GhostAction' compromised 817 GitHub repositories, stealing 3,325 critical secrets including PyPI, npm, and AWS credentials. Attackers hijacked maintainer accounts to inject malicious GitHub Actions workflows that automatically harvested secrets upon code commits. The incident highlights escalating threats to open-source infrastructure and the fragility of CI/CD pipelines.

GitHub has launched Code Scanning Autofix in public beta, leveraging AI to automatically suggest fixes for security vulnerabilities during code review. This integration of CodeQL, Copilot, and OpenAI's GPT-4 aims to dramatically reduce remediation time for common flaws in JavaScript, TypeScript, Java, and Python.

Hackers compromised Toptal's GitHub organization, weaponizing their trusted Picasso design system to publish ten malicious npm packages that stole GitHub tokens and wiped developer machines. With 5,000 downloads before detection, this breach highlights critical vulnerabilities in open-source supply chains. The attackers' sophisticated preinstall/postinstall scripts demonstrate evolving threats to developer ecosystems.