GitHub | Breaking Cybersecurity News | The Hacker News

The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers to deliver new stealer malware under the guise of a coding assignment. The activity has been attributed by Palo Alto Networks Unit 42 to a hacking group it tracks as Slow Pisces , which is also known as Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899. "Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges," security researcher Prashil Pattni said . "These challenges require developers to run a compromised project, infecting their systems using malware we have named RN Loader and RN Stealer." Slow Pisces has a history of targeting developers, typically in the cryptocurrency sector, by approaching them on LinkedIn as part of a supposed job opportunity and enticing them into opening a PDF document that details the ...

The cascading supply chain attack that initially targeted Coinbase before becoming more widespread to single out users of the "tj-actions/changed-files" GitHub Action has been traced further back to the theft of a personal access token ( PAT ) related to SpotBugs. "The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for static analysis of bugs in code," Palo Alto Networks Unit 42 said in an update this week. "This enabled the attackers to move laterally between SpotBugs repositories, until obtaining access to reviewdog." There is evidence to suggest that the malicious activity began as far back as late November 2024, although the attack against Coinbase did not take place until March 2025. Unit 42 said its investigation began with the knowledge that reviewdog's GitHub Action was compromised due to a leaked PAT associated with the project's maintainer. This subsequen...

The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture.  The solution is more complex. For this article, we'll focus on the device threat vector. The risk they pose is significant, which is why device management tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) are essential components of an organization's security infrastructure. However, relying solely on these tools to manage device risk actually creates a false sense of security. Instead of the blunt tools of device management, organizations are looking for solutions that deliver device trust . Device trust provides a comprehensive, risk-based approach to device security enforcement, closing the large gaps left behind by traditional device management solutions. Here are 5 of those limitations and how to ov...

Cybersecurity researchers have discovered an updated version of a malware loader called Hijack Loader that implements new features to evade detection and establish persistence on compromised systems. "Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls)," Zscaler ThreatLabz researcher Muhammed Irfan V A said in an analysis. "Hijack Loader added a new module to perform anti-VM checks to detect malware analysis environments and sandboxes." Hijack Loader, first discovered in 2023, offers the ability to deliver second-stage payloads such as information stealer malware. It also comes with a variety of modules to bypass security software and inject malicious code. Hijack Loader is tracked by the broader cybersecurity community under the names DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER. In October 2024, HarfangLab and Elastic Security Labs detailed Hijack Loader campaigns t...

The supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbase's open-source projects, before evolving into something more widespread in scope. "The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises," Palo Alto Networks Unit 42 said in a report. "However, the attacker was not able to use Coinbase secrets or publish packages." The incident came to light on March 14, 2025, when it was found that "tj-actions/changed-files" was compromised to inject code that leaked sensitive secrets from repositories that ran the workflow. It has been assigned the CVE identifier CVE-2025-30066 (CVSS score: 8.6). According to Endor Labs, 218 GitHub repositories are estimated to have exposed their secrets due to the supply chain attack, and a majority of the leak...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a vulnerability linked to the supply chain compromise of the GitHub Action, tj-actions/changed-files, to its Known Exploited Vulnerabilities (KEV) catalog. The high-severity flaw, tracked as CVE-2025-30066 (CVSS score: 8.6), involves the breach of the GitHub Action to inject malicious code that enables a remote attacker to access sensitive data via actions logs. "The tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading actions logs," CISA said in an alert. "These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys." Cloud security company Wiz has since revealed that the attack may have been an instance of a cascading supply chain attack, with unidentified threat actors first compromising the re...

Cybersecurity researchers are calling attention to an incident in which the popular GitHub Action tj-actions/changed-files was compromised to leak secrets from repositories using the continuous integration and continuous delivery (CI/CD) workflow. The incident involved the tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. It's used to track and retrieve all changed files and directories. The supply chain compromise has been assigned the CVE identifier CVE-2025-30066 (CVSS score: 8.6). The incident is said to have taken place sometime before March 14, 2025. "In this attack, the attackers modified the action's code and retroactively updated multiple version tags to reference the malicious commit," StepSecurity said . "The compromised Action prints CI/CD secrets in GitHub Actions build logs." The net result of this behavior is that should the workflow logs be publicly accessible, they could lead to the unauthorized expo...

Two high-severity security flaws have been disclosed in the open-source ruby-saml library that could allow malicious actors to bypass Security Assertion Markup Language (SAML) authentication protections. SAML is an XML-based markup language and open-standard used for exchanging authentication and authorization data between parties, enabling features like single sign-on (SSO), which allows individuals to use a single set of credentials to access multiple sites, services, and apps. The vulnerabilities, tracked as CVE-2025-25291 and CVE-2025-25292 , carry a CVSS score of 8.8 out of 10.0. They affect the following versions of the library - < 1.12.4 >= 1.13.0, < 1.18.0 Both the shortcomings stem from how both REXML and Nokogiri parse XML differently, causing the two parsers to generate entirely different document structures from the same XML input This parser differential allows an attacker to be able to execute a Signature Wrapping attack, leading to an authentication by...

Microsoft has disclosed details of a large-scale malvertising campaign that's estimated to have impacted over one million devices globally as part of what it said is an opportunistic attack designed to steal sensitive information. The tech giant, which detected the activity in early December 2024, is tracking it under the broader umbrella Storm-0408, a moniker used for a set of threat actors that are known to distribute remote access or information-stealing malware via phishing, search engine optimization (SEO), or malvertising. "The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms," the Microsoft Threat Intelligence team said . "The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack." The most signifi...

Cybersecurity researchers are calling attention to an ongoing campaign that's targeting gamers and cryptocurrency investors under the guise of open-source projects hosted on GitHub . The campaign, which spans hundreds of repositories, has been dubbed GitVenom by Kaspersky. "The infected projects include an automation instrument for interacting with Instagram accounts, a Telegram bot that enables the remote management of Bitcoin wallets and a crack tool to play the Valorant game," the Russian cybersecurity vendor said. "All of this alleged project functionality was fake, and cybercriminals behind the campaign stole personal and banking data and hijacked cryptowallet addresses from the clipboard." The malicious activity has facilitated the theft of 5 bitcoins, approximately worth $456,600 as of writing. It's believed the campaign has been ongoing for at least two years, when some of the fake projects were published. A majority of the infection attempts...

The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "SuccessFriend." The profile, active since July 2024, is no longer accessible on the code hosting platform. The implant is designed to collect system information, and can be embedded within websites and NPM packages, posing a supply chain risk. Evidence shows that the malware first emerged in late December 2024. The attack has amassed 233 confirmed victims across the U.S., Europe, and Asia. "The profile mentioned web dev skills and learning blockchain which is in alignment to the interests of Lazarus," SecurityScorecard said . "The threat actor was committing both pre-o...

Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems. The package, named github.com/boltdb-go/bolt , is a typosquat of the legitimate BoltDB database module ( github.com/boltdb/bolt ), per Socket. The malicious version (1.3.1) was published to GitHub in November 2021, following which it was cached indefinitely by the Go Module Mirror service. "Once installed, the backdoored package grants the threat actor remote access to the infected system, allowing them to execute arbitrary commands," security researcher Kirill Boychenko said in an analysis. Socket said the development marks one of the earliest instances of a malicious actor abusing the Go Module Mirror's indefinite caching of modules to trick users into downloading the package. Subsequently, the attacker is said to have modified the Git tags in the source r...

The North Korean threat actors behind the Contagious Interview campaign have been observed delivering a collection of Apple macOS malware strains dubbed FERRET as part of a supposed job interview process. "Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or CameraAccess for virtual meetings," SentinelOne researchers Phil Stokes and Tom Hegel said in a new report. Contagious Interview, first uncovered in late 2023, is a persistent effort undertaken by the hacking crew to deliver malware to prospective targets through bogus npm packages and native apps masquerading as videoconferencing software. It's also tracked as DeceptiveDevelopment and DEV#POPPER. These attack chains are designed to drop a JavaScript-based malware known as BeaverTail, which, besides harvesting sensitive data from web browsers and crypto wallets, is capable of d...

A Russian-speaking cybercrime gang known as Crazy Evil has been linked to over 10 active social media scams that leverage a wide range of tailored lures to deceive victims and trick them into installing malware such as StealC , Atomic macOS Stealer (aka AMOS ), and Angel Drainer . "Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil employs a well-coordinated network of traffers — social engineering experts tasked with redirecting legitimate traffic to malicious phishing pages," Recorded Future's Insikt Group said in an analysis. The use of a diverse malware arsenal cryptoscam group is a sign that the threat actor is targeting users of both Windows and macOS systems, posing a risk to the decentralized finance ecosystem. Crazy Evil has been assessed to be active since at least 2021, functioning primarily as a traffer team tasked with redirecting legitimate traffic to malicious landing pages operated by other criminal cre...

Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user's Git credentials. "Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper ," GMO Flatt Security researcher Ry0taK, who discovered the flaws, said in an analysis published Sunday. "Because of improper handling of messages, many projects were vulnerable to credential leakage in various ways." The list of identified vulnerabilities, dubbed Clone2Leak, is as follows - CVE-2025-23040 (CVSS score: 6.6) - Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop  CVE-2024-50338 (CVSS score: 7.4) - Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager CVE-2024-53263 (CVSS score: 8.5) - Git LFS permits retrieval of cre...