#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

GitHub | Breaking Cybersecurity News | The Hacker News

GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations

GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations

Mar 24, 2023 Cloud Security / Programming
Cloud-based repository hosting service GitHub said it took the step of replacing its RSA SSH host key used to secure Git operations "out of an abundance of caution" after it was briefly exposed in a public repository. The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to have been undertaken as a measure to prevent any bad actor from impersonating the service or eavesdropping on users' operations over SSH. "This key does not grant access to GitHub's infrastructure or customer data," Mike Hanley, chief security officer and SVP of engineering at GitHub,  said  in a post. "This change only impacts Git operations over SSH using RSA." The move does not impact Web traffic to GitHub.com and Git operations performed via HTTPS. No change is required for ECDSA or Ed25519 users. The Microsoft-owned company said there is no evidence that the exposed SSH private key was exploited by adversaries. It did not disclose how long the se
GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom

GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom

Jan 31, 2023 Security Incident / Encryption
GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. As a result, the company is  taking the step  of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2. Versions 1.63.0 and 1.63.1 of Atom are also expected to stop working as of February 2, 2023, requiring that users downgrade to a  previous version  (1.60.0) of the source code editor. Atom was officially discontinued in December 2022. GitHub Desktop for Windows is not affected. The Microsoft-owned subsidiary said it detected unauthorized access to a set of repositories, including those from deprecated GitHub-owned organizations, used in the planning and development of GitHub Desktop and Atom on December 7, 2022. The repositories are said to have be
cyber security

external linkTraditional App Security is No Longer Enough

websitewww.nonamesecurity.comAPI Security
When it comes to ensuring the security of your APIs, there are four critical capabilities.
Hackers Can Abuse Legitimate GitHub Codespaces Feature to Deliver Malware

Hackers Can Abuse Legitimate GitHub Codespaces Feature to Deliver Malware

Jan 17, 2023 Threat Response / Malware
New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. GitHub Codespaces  is a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code. It also comes with a port forwarding feature that makes it possible to access a web application that's running on a particular port within the codespace directly from the browser on a local machine for testing and debugging purposes. "You can also forward a port manually, label forwarded ports, share forwarded ports with members of your organization, share forwarded ports publicly, and add forwarded ports to the codespace configuration," GitHub  explains  in its documentation. It's  important  to note here that any forwarded port that's made public will also permit any party with knowledge of the URL
Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub

Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub

Jan 06, 2023 Cryptocurrency / GitHub
A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN. The group "primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist  said . PURPLEURCHIN first came to light in October 2022 when Sysdig  disclosed  that the adversary created as many as 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to scale its operation. Now according to Unit 42, the cloud threat actor group created three to five GitHub accounts every minute at the height of its activity in November 2022, totally setting up over 130,000 bogus accounts across Heroku, Togglebox, and GitHub. More than 22,000 GitHub accounts are estimated to have been created between September and Novemb
Hackers Breach Okta's GitHub Repositories, Steal Source Code

Hackers Breach Okta's GitHub Repositories, Steal Source Code

Dec 22, 2022 Software Security / Data Breach
Okta, a company that provides identity and access management services, disclosed on Wednesday that some of its source code repositories were accessed in an unauthorized manner earlier this month. "There is no impact to any customers, including any HIPAA, FedRAMP, or DoD customers," the company  said  in a public statement. "No action is required by customers." The security event, which was  first reported  by Bleeping Computer, involved unidentified threat actors gaining access to the Okta Workforce Identity Cloud ( WIC ) code repositories hosted on GitHub. The access was subsequently abused to copy the source code. The cloud-based identity management platform noted that it was alerted to the incident by Microsoft-owned GitHub in early December 2022. It also emphasized that the breach did not result in unauthorized access to customer data or the Okta service. Upon discovering the lapse, Okta said it placed temporary restrictions on repository access and that i
GitHub Announces Free Secret Scanning for All Public Repositories

GitHub Announces Free Secret Scanning for All Public Repositories

Dec 16, 2022 Secure Coding / Code Hosting
GitHub on Thursday said it is making available its secret scanning service to all public repositories on the code hosting platform for free. "Secret scanning alerts notify you directly about leaked secrets in your code," the company  said , adding it's expected to complete the rollout by the end of January 2023.  Secret scanning is  designed  to examine repositories for access tokens, private keys, credentials, API keys, and other secrets in  over 200 formats  that may have been accidentally committed, and generate alerts to prevent their misuse. The security option was previously limited to repositories owned by organizations that use GitHub Enterprise Cloud and have a GitHub Advanced Security license. For customers of GitHub Advanced Security, the  protections  go a step further by performing the scans for exposed secrets, including custom patterns,  during code pushes . The Microsoft subsidiary also said it's  planning  to turn on two-factor authentication
Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data

Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data

Nov 07, 2022
Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs. "Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Br√§unlein,  said  in a report published on November 2, 2022. The Berlin-based cybersecurity firm said it started an investigation in the aftermath of a  notification  sent by GitHub in February 2022 to an unknown number of users about sharing their usernames and private repository names (i.e.,  GitHub Pages URLs ) to urlscan.io for metadata analysis as part of an automated process. Urlscan.io, which has been described as a  sandbox for the web , is  integrated  into several security solutions  via its API . "With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan o
Dropbox Breach: Hackers Unauthorizedly Accessed 130 GitHub Source Code Repositories

Dropbox Breach: Hackers Unauthorizedly Accessed 130 GitHub Source Code Repositories

Nov 02, 2022
File hosting service Dropbox on Tuesday disclosed that it was the victim of a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub. "These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team," the company  revealed  in an advisory. The breach resulted in the access of some API keys used by Dropbox developers as well as "a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors." It, however, stressed that the repositories did not contain source code related to its core apps or infrastructure. Dropbox, which offers cloud storage, data backup, and document signing services, among others, has over 17.37 million paying users and 700 million registered users as of  August 2022 . The di
GitHub Repojacking Bug Could've Allowed Attackers to Takeover Other Users' Repositories

GitHub Repojacking Bug Could've Allowed Attackers to Takeover Other Users' Repositories

Oct 31, 2022
Cloud-based repository hosting service GitHub has addressed a high-severity security flaw that could have been exploited to create malicious repositories and mount supply chain attacks. The RepoJacking technique,  disclosed  by Checkmarx, entails a bypass of a protection mechanism called  popular repository namespace retirement , which aims to prevent developers from pulling unsafe repositories with the same name. The issue was addressed by the Microsoft-owned subsidiary on September 19, 2022 following responsible disclosure. RepoJacking  occurs  when a creator of a repository opts to change the username, potentially enabling a threat actor to claim the old username and publish a rogue repository with the same name in an attempt to trick users into downloading them. While Microsoft's countermeasure "retire[s] the namespace of any open source project that had more than 100 clones in the week leading up to the owner's account being renamed or deleted," Checkmarx
Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

Oct 11, 2022
A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," GitHub  said  in an advisory published on September 28, 2022. The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a maximum severity rating of 10 on the CVSS vulnerability scoring system. It has been addressed in  version 3.9.11  released on August 28, 2022. vm2 is a  popular Node library  that's used to run untrusted code with allowlisted built-in modules. It's also one of the most widely downloaded software, accounting for nearly 3.5 million downloads per week. The  shortcoming  is rooted in the error mechanism in Node.js to escape the sandbox, according to application security firm Oxeye, which  discovered the flaw . This mean
Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts

Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts

Sep 23, 2022
GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The Microsoft-owned code hosting service said it learned of the attack on September 16, 2022, adding the campaign impacted "many victim organizations." The fraudulent messages claim to notify users that their CircleCI sessions have expired and that they should log in using GitHub credentials by clicking on a link. Another bogus email  revealed by CircleCI  prompts users to sign in to their GitHub accounts to accept the company's new Terms of Use and Privacy Policy by following the link embedded in the message. Regardless of the lure, doing so redirects the target to a lookalike GitHub login page designed to steal and exfiltrate the entered credentials as well as the Time-based One Time Password (TOTP) codes in real-time to the attacker, effectively allowing
GitLab Issues Patch for Critical Flaw in its Community and Enterprise Software

GitLab Issues Patch for Critical Flaw in its Community and Enterprise Software

Aug 24, 2022
DevOps platform GitLab this week issued patches to address a critical security flaw in its software that could lead to arbitrary code execution on affected systems. Tracked as  CVE-2022-2884 , the issue is rated 9.9 on the CVSS vulnerability scoring system and impacts all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, 15.2 before 15.2.3, and 15.3 before 15.3.1. At its core, the security weakness is a case of authenticated remote code execution that can be triggered via the GitHub import API. GitLab credited  yvvdwf  with discovering and reporting the flaw. A successful exploitation of the critical flaw could enable a malicious actor to run malicious code on the target machine, inject malware and backdoors, and seize complete control of the susceptible devices. While the issue has been resolved in versions 15.3.1, 15.2.3, 15.1.5, users also have the option of securing against the flaw by temporarily disabling the GitHub im
GitHub Dependabot Now Alerts Developers On Vulnerable GitHub Actions

GitHub Dependabot Now Alerts Developers On Vulnerable GitHub Actions

Aug 11, 2022
Cloud-based code hosting platform GitHub has announced that it will now start sending Dependabot alerts for vulnerable GitHub Actions to help developers fix security issues in CI/CD workflows. "When a security vulnerability is reported in an action, our team of security researchers will create an advisory to document the vulnerability, which will trigger an alert to impacted repositories," GitHub's Brittany O'Shea and Kate Catlin  said . GitHub Actions  is a continuous integration and continuous delivery (CI/CD) solution that enables users to automate the software build, test, and deployment pipeline. Dependabot  is part of the Microsoft-owned subsidiary's continued efforts to secure the  software supply chain  by  notifying  users that their source code depends on a package with a security vulnerability and helping keep all the dependencies up-to-date. The latest move entails receiving alerts on GitHub Actions and vulnerabilities impacting developer code,
Cloud-based Cryptocurrency Miners Targeting GitHub Actions and Azure VMs

Cloud-based Cryptocurrency Miners Targeting GitHub Actions and Azure VMs

Jul 11, 2022
GitHub Actions and Azure virtual machines (VMs) are being leveraged for cloud-based cryptocurrency mining, indicating sustained attempts on the part of malicious actors to target cloud resources for illicit purposes. "Attackers can abuse the  runners  or servers provided by GitHub to run an organization's pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to gain profit easily," Trend Micro researcher Magno Logan  said  in a report last week. GitHub Actions ( GHAs ) is a continuous integration and continuous delivery (CI/CD) platform that allows users to automate the software build, test, and deployment pipeline. Developers can leverage the feature to create workflows that build and test every pull request to a code repository, or deploy merged pull requests to production. Both Linux and Windows runners are hosted on  Standard_DS2_v2  virtual machines on Azure and come with two vCPUs and 7GB of memory. The Japanese com
Unpatched Travis CI API Bug Exposes Thousands of Secret User Access Tokens

Unpatched Travis CI API Bug Exposes Thousands of Secret User Access Tokens

Jun 14, 2022
An unpatched security issue in the Travis CI API has left tens of thousands of developers' user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks. "More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub," researchers from cloud security firm Aqua  said  in a Monday report. Travis CI is a  continuous integration  service used to build and test software projects hosted on cloud repository platforms such as GitHub and Bitbucket. The issue, previously reported in 2015 and  2019 , is rooted in the fact that the  API  permits access to historical logs in cleartext format, enabling a malicious party to even "fetch the logs that were previously unavailable via the API." The logs go all
Nearly 100,000 NPM Users' Credentials Stolen in GitHub OAuth Breach

Nearly 100,000 NPM Users' Credentials Stolen in GitHub OAuth Breach

May 27, 2022
Cloud-based repository hosting service GitHub on Friday shared additional details into the theft of its integration OAuth tokens last month, noting that the attacker was able to access internal NPM data and its customer information. "Using stolen OAuth user tokens originating from two third-party integrators, Heroku and Travis CI, the attacker was able to escalate access to NPM infrastructure," Greg Ose said , adding the attacker then managed to obtain a number of files - A database backup of skimdb.npmjs.com consisting of data as of April 7, 2021, including an archive of user information from 2015 and all private NPM package manifests and package metadata. The archive contained NPM usernames, password hashes, and email addresses for roughly 100,000 users. A set of CSV files encompassing an archive of all names and version numbers of published versions of all NPM private packages as of April 10, 2022, and  A "small subset" of private packages from two organiz
Heroku Forces User Password Resets Following GitHub OAuth Token Theft

Heroku Forces User Password Resets Following GitHub OAuth Token Theft

May 05, 2022
Salesforce-owned subsidiary Heroku on Thursday acknowledged that the theft of GitHub integration OAuth tokens further involved unauthorized access to an internal customer database. The company, in an  updated notification , revealed that a compromised token was abused to breach the database and "exfiltrate the hashed and salted passwords for customers' user accounts." As a consequence, Salesforce said it's resetting all Heroku user passwords and ensuring that potentially affected credentials are refreshed. It also emphasized that internal Heroku credentials were rotated and extra detections have been put in place. The attack campaign, which GitHub  discovered  on April 12, related to an unidentified actor leveraging stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM. The timeline of events as shared by the cloud platform is as follows - April 7, 2022  - Threat
GitHub Says Recent Attack Involving Stolen OAuth Tokens Was "Highly Targeted"

GitHub Says Recent Attack Involving Stolen OAuth Tokens Was "Highly Targeted"

May 03, 2022
Cloud-based code hosting platform GitHub described the recent  attack campaign  involving the abuse of OAuth access tokens issued to Heroku and Travis CI as "highly targeted" in nature. "This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," GitHub's Mike Hanley  said  in an updated post. The  security incident , which it discovered on April 12, related to an unidentified attacker leveraging stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis CI, to download data from dozens of organizations, including NPM. The Microsoft-owned company said last week that it's in the process of sending a final set of notifications to GitHub customers who had either the Heroku or Travis CI OAuth app integrations authorized in their accounts. According to a detailed step-by-step analysis carried out by GitHub, th
Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

May 02, 2022
A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information. "The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25  said  in a report published last week. "The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country." Override Panda, also called  Naikon , Hellsing, and Bronze Geneva, is known to operate on behalf of Chinese interests since at least 2005 to conduct intelligence-gathering operations targeting  ASEAN countries . Attack chains unleashed by the threat actor have involved the use of decoy documents attached to spear-phishing emails that are designed to entice the intended victims to open and compromise themselves with malware
GitHub Notifies Victims Whose Private Data Was Accessed Using OAuth Tokens

GitHub Notifies Victims Whose Private Data Was Accessed Using OAuth Tokens

Apr 19, 2022
GitHub on Monday noted that it had notified all victims of an attack campaign, which involved an unauthorized party downloading private repository contents by taking advantage of third-party OAuth user tokens maintained by Heroku and Travis CI. "Customers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the affected OAuth applications," the company  said  in an updated post. The  incident  originally came to light on April 12 when GitHub uncovered signs that a malicious actor had leveraged the stolen OAuth user tokens issued to Heroku and Travis CI to download data from dozens of organizations, including NPM. The Microsoft-owned platform also said that it will alert customers promptly should the ongoing investigation identify additional victims. Furthermore, it cautioned that the adversary may also be digging into the repositories for secrets that could be used in other attacks. Heroku, which has pulled support for GitHub
Cybersecurity Resources