#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

GitHub | Breaking Cybersecurity News | The Hacker News

Category — GitHub
GitHub Notifies Victims Whose Private Data Was Accessed Using OAuth Tokens

GitHub Notifies Victims Whose Private Data Was Accessed Using OAuth Tokens

Apr 19, 2022
GitHub on Monday noted that it had notified all victims of an attack campaign, which involved an unauthorized party downloading private repository contents by taking advantage of third-party OAuth user tokens maintained by Heroku and Travis CI. "Customers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the affected OAuth applications," the company  said  in an updated post. The  incident  originally came to light on April 12 when GitHub uncovered signs that a malicious actor had leveraged the stolen OAuth user tokens issued to Heroku and Travis CI to download data from dozens of organizations, including NPM. The Microsoft-owned platform also said that it will alert customers promptly should the ongoing investigation identify additional victims. Furthermore, it cautioned that the adversary may also be digging into the repositories for secrets that could be used in other attacks. Heroku, which has pulled supp...
GitHub Says Hackers Breached Dozens of Organizations Using Stolen OAuth Access Tokens

GitHub Says Hackers Breached Dozens of Organizations Using Stolen OAuth Access Tokens

Apr 16, 2022
Cloud-based repository hosting service GitHub on Friday revealed that it discovered evidence of an unnamed adversary capitalizing on stolen OAuth user tokens to unauthorizedly download private data from several organizations. "An attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis CI, to download data from dozens of organizations, including NPM," GitHub's Mike Hanley  disclosed  in a report. OAuth access tokens are often  used  by apps and services to authorize access to specific parts of a user's data and communicate with each other without having to share the actual credentials. It's one of the most common methods used to pass authorization from a single sign-on ( SSO ) service to another application. As of April 15, 2022, the list of affected OAuth applications is as follows - Heroku Dashboard (ID: 145909) Heroku Dashboard (ID: 628778) Heroku Dashboard – Preview (ID: 313468) Heroku Dashboard – Classi...
Want to Grow Vulnerability Management into Exposure Management? Start Here!

Want to Grow Vulnerability Management into Exposure Management? Start Here!

Dec 05, 2024Attack Surface / Exposure Management
Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...
GitHub Revoked Insecure SSH Keys Generated by a Popular git Client

GitHub Revoked Insecure SSH Keys Generated by a Popular git Client

Oct 12, 2021
Code hosting platform GitHub has  revoked  weak SSH authentication keys that were generated via the GitKraken git GUI client due to a vulnerability in a third-party library that increased the likelihood of duplicated SSH keys. As an added precautionary measure, the Microsoft-owned company also said it's building safeguards to prevent vulnerable versions of GitKraken from adding newly generated weak keys. The problematic dependency, called " keypair ," is an open-source SSH key generation library that allows users to create RSA keys for authentication-related purposes. It has been found to impact  GitKraken  versions 7.6.x, 7.7.x, and 8.0.0, released between May 12, 2021, and September 27, 2021. The flaw — tracked as CVE-2021-41117 (CVSS score: 8.7) — concerns a bug in the pseudo-random number generator used by the library, resulting in the creation of a weaker form of public SSH keys, which, owing to their low entropy — i.e., the measure of r...
cyber security

Innovate Securely: Top Strategies to Harmonize AppSec and R&D Teams

websiteBackslashApplication Security
Tackle common challenges to make security and innovation work seamlessly.
CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks

CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks

Jul 17, 2021
Web infrastructure and website security company Cloudflare last month fixed a critical vulnerability in its CDNJS library that's  used by 12.7% of all websites  on the internet. CDNJS is a free and open-source content delivery network (CDN) that serves about  4,041 JavaScript and CSS libraries , making it the  second most popular  CDN for JavaScript after Google Hosted Libraries. The weakness concerned an issue in the CDNJS library update server that could potentially allow an attacker to execute arbitrary commands, leading to a complete compromise. The vulnerability was discovered and reported by security researcher RyotaK on April 6, 2021. There is no evidence of in-the-wild attacks abusing this flaw. Specifically, the vulnerability works by publishing packages to Cloudflare's CDNJS using GitHub and npm, using it to trigger a  path traversal vulnerability , and ultimately trick the server into executing arbitrary code, thus achieving remote code exe...
GitHub Launches 'Copilot' — AI-Powered Code Completion Tool

GitHub Launches 'Copilot' — AI-Powered Code Completion Tool

Jun 30, 2021
GitHub on Tuesday launched a technical preview of a new AI-powered  pair programming  tool that aims to help software developers write better code across a variety of programming languages, including Python, JavaScript, TypeScript, Ruby, and Go. Copilot , as the code synthesizer is called, has been developed in collaboration with  OpenAI , and leverages Codex, a new AI system that's trained on publicly available source code and natural language with the goal of translating comments and code written by a user into auto-generated code snippets. "GitHub Copilot draws context from the code you're working on, suggesting whole lines or entire functions," GitHub CEO Nat Friedman  said  in a blog post. "It helps you quickly discover alternative ways to solve problems, write tests, and explore new APIs without having to tediously tailor a search for answers on the internet." Despite its function as an AI-based autocomplete for writing boilerplate code, the Micr...
GitHub Updates Policy to Remove Exploit Code When Used in Active Attacks

GitHub Updates Policy to Remove Exploit Code When Used in Active Attacks

Jun 05, 2021
Code-hosting platform GitHub Friday officially announced a series of updates to the  site's policies  that delve into how the company deals with malware and exploit code uploaded to its service. "We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits," the Microsoft-owned company  said . "We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem." Stating that it will not allow the use of GitHub in direct support of unlawful attacks or malware campaigns that cause technical harm, the company said it may take steps to disrupt ongoing attacks that leverage the platform as an exploit or a malware content delivery network (CDN). To that end, users are refrained from uploading, posting, hosting, or transmitting any co...
Unpatched Prototype Pollution Flaw Affects All Versions of Popular Lodash Library

Unpatched Prototype Pollution Flaw Affects All Versions of Popular Lodash Library

Jul 09, 2019
Lodash, a popular npm library used by more than 4 million projects on GitHub alone, is affected by a high severity security vulnerability that could allow attackers to compromise the security of affected services using the library and their respective user base. Lodash is a JavaScript library that contains tools to simplify programming with strings, numbers, arrays, functions, and objects, helping programmers write and maintain their JavaScript code more efficiently. Liran Tal, a developer advocate at open-source security platform Snyk, recently published details and proof-of-concept exploit of a high-severity prototype pollution security vulnerability that affects all versions of lodash, including the latest version 4.17.11. The vulnerability, assigned as CVE-2019-10744 , potentially affects a large number of frontend projects due to the popularity of lodash that is being downloaded at a rate of more than 80 million times per month. Prototype pollution is a vulnerability t...
Ubuntu-Maker Canonical’s GitHub Account Gets Hacked

Ubuntu-Maker Canonical's GitHub Account Gets Hacked

Jul 07, 2019
An unknown hacker yesterday successfully managed to hack into the official GitHub account of Canonical, the company behind the Ubuntu Linux project and created 11 new empty repositories . It appears that the cyberattack was, fortunately, just a "loud" defacement attempt rather than a "silent" sophisticated supply-chain attack that could have been abused to distribute modified malicious versions of the open-source Canonical software. In a statement, David from Canonical confirmed that attacker(s) used a Canonical owned GitHub account whose credentials were compromised to unauthorizedly access Canonical's Github account. "We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities," David said. "Canonical has removed the compromised account from the Canonical organization in GitHub and is still investigating the extent o...
WhiteSource Bolt for GitHub: Free Open Source Vulnerability Management App for Developers

WhiteSource Bolt for GitHub: Free Open Source Vulnerability Management App for Developers

Dec 05, 2018
Developers around the world depend on open source components to build their software products. According to industry estimates, open source components account for 60-80% of the code base in modern applications. Collaboration on open source projects throughout the community produces stronger code, squashing the bugs and catching the vulnerabilities that impact the security of organizations who look to open source components as the key to their application building success. Thanks in part to the "thousand eyeballs" of the community, the number of reported vulnerabilities in open source projects is on the rise, spiking 51% in 2017 from the previous year. This is even more concerning since, as shown in the same study, most vulnerabilities are found in popular projects. Data shows that 32% of the top 100 open source projects have at least one vulnerability, meaning that developers have their work cut out for them, no matter which components they are using in their products....
Linus Torvalds Apologizes For His Rude Behavior—Takes Time Off

Linus Torvalds Apologizes For His Rude Behavior—Takes Time Off

Sep 18, 2018
What just happened would definitely gonna surprise you. Linus Torvalds—father of the Linux open-source operating system—finally admitted his behavior towards other developers in the Linux community was hurting people and Linux. In a surprising move this weekend, Torvalds apologized for insulting and abusing other developers for almost three decades and took a break from the open-source software to work on his behavior. In an email to the Linux Kernel Mailing List (LKML) on Sunday, Torvalds said that he was confronted by people of the Linux community this week about his lifetime of not understanding emotions, and apologized for his personal behavior that has hurt people and possibly has driven some of them away from working in kernel development altogether. Torvalds wrote, "I need to change some of my behavior, and I want to apologize to the people that my personal behavior hurt and possibly drove away from kernel development entirely." "I am going to take ...
Password-Guessing Was Used to Hack Gentoo Linux Github Account

Password-Guessing Was Used to Hack Gentoo Linux Github Account

Jul 05, 2018
Maintainers of the Gentoo Linux distribution have now revealed the impact and "root cause" of the attack that saw unknown hackers taking control of its GitHub account last week and modifying the content of its repositories and pages. The hackers not only managed to change the content in compromised repositories but also locked out Gentoo developers from their GitHub organisation. As a result of the incident, the developers were unable to use GitHub for five days. What Went Wrong? Gentoo developers have revealed that the attackers were able to gain administrative privileges for its Github account, after guessing the account password. The organisation could have been saved if it was using a two-factor authentication, which requires an additional passcode besides the password in order to gain access to the account. "The attacker gained access to a password of an organization administrator. Evidence collected suggests a password scheme where disclosure on on...
Github Account of Gentoo Linux Hacked, Code Replaced With Malware

Github Account of Gentoo Linux Hacked, Code Replaced With Malware

Jun 29, 2018
Downloaded anything from Gentoo's GitHub account yesterday? Consider those files compromised and dump them now—as an unknown group of hackers or an individual managed to gain access to the GitHub account of the Gentoo Linux distribution on Thursday and replaced the original source code with a malicious one. Gentoo is a free open source Linux or FreeBSD-based distribution built using the Portage package management system that makes it more flexible, easier to maintain, and portable compared to other operating systems. In a security alert released on its website yesterday, developers of the Gentoo Linux distribution warned users not to use code from its GitHub account, as some "unknown individuals" had gained its control on 28 June at 20:20 UTC and "modified the content of repositories as well as pages there." According to Gentoo developer Francisco Blas Izquierdo Riera, after gaining control of the Gentoo Github organization, the attackers "repla...
Confirmed—Microsoft Buys GitHub For $7.5 Billion

Confirmed—Microsoft Buys GitHub For $7.5 Billion

Jun 04, 2018
Here's the biggest news of the week—Microsoft has reportedly acquired GitHub for $7.5 billion. For those unaware, GitHub is a popular code repository hosting service that allows developers to host their projects, documentation, and code in the cloud using the popular Git source management system, invented in 2005 by Linux founder Linus Torvalds. GitHub is used by many developers and big tech companies including Apple, Amazon, Google, Facebook, and IBM to store their corporate code and privately collaborate on software, but Microsoft is one of the top contributors to the web-hosting service. Microsoft has uploaded several of its most important projects, including PowerShell , the .NET framework, and the Microsoft Edge JavaScript engine , to the website under open source licenses. Microsoft also partnered with Canonical to bring Ubuntu to Windows 10 . Citing sources familiar with the matter, Bloomberg reports that GitHub opted to sell to Microsoft in part because it was impr...
NSA Opens Github Account — Lists 32 Projects Developed by the Agency

NSA Opens Github Account — Lists 32 Projects Developed by the Agency

Jun 21, 2017
The National Security Agency (NSA) — the United States intelligence agency which is known for its secrecy and working in the dark — has finally joined GitHub and launched an official GitHub page. The NSA employs genius-level coders and brightest mathematicians, who continually work to break codes, gather intelligence on everyone, and develop hacking tools like EternalBlu e that was leaked by the Shadow Brokers in April and abused by the WannaCry ransomware last month to wreak havoc worldwide. The intelligence agency mostly works in secret, but after Edward Snowden leaks in 2013, the NSA has started (slowly) opening itself to the world. It joined Twitter in the same year after Snowden leaks and now opened a Github account. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program ( TTP ), while some of these are 'coming soon.' ...
Microsoft is Shutting Down CodePlex, Asks Devs To Move To GitHub

Microsoft is Shutting Down CodePlex, Asks Devs To Move To GitHub

Apr 03, 2017
Microsoft has announced to shut down CodePlex -- its website for hosting repositories of open-source software projects -- on December 15, 2017. Launched in 2006, CodePlex was one of the Microsoft's biggest steps towards the world of open source community -- where any programmer, anywhere can share the code for their software or download and tweak the code to their liking. However, Microsoft says that the service has dramatically fallen in usage and that fewer than 350 projects seeing a source code commit over the last 30 days, pointing to GitHub as the "de-facto place for open source sharing." GitHub – 'Facebook for Programmers' In a blog post published Friday, Microsoft Corporate VP Brian Harry wrote that the shutdown of CodePlex is because the open source community has almost entirely moved over to GitHub, which provides similar functionality for sharing code that people can collaborate on. "Over the years, we have seen a lot of amazing opti...
Widespread Email Scam Targets Github Developers with Dimnie Trojan

Widespread Email Scam Targets Github Developers with Dimnie Trojan

Mar 30, 2017
Open source developers who use the popular code-sharing site GitHub were put on alert after the discovery of a phishing email campaign that attempts to infect their computers with an advanced malware trojan. Dubbed Dimnie , the reconnaissance and espionage trojan has the ability to harvest credentials, download sensitive files, take screenshots, log keystrokes on 32-bit and 64-bit architectures, download additional malware on infected systems, and self-destruct when ordered to. The malware has largely flown under the radar for the past three years – Thanks to its stealthy command and control methods. The threat was discovered in the mid of January this year when it was targeting multiple owners of Github repositories via phishing emails, but cyber-security firm Palo Alto, who reported the campaign on Tuesday, says the attacks started a few weeks before. Here's How the Attack Works: The attack starts by spamming the email inboxes of active GitHub users with booby-trap...
Chinese Certificate Authority 'mistakenly' gave out SSL Certs for GitHub Domains

Chinese Certificate Authority 'mistakenly' gave out SSL Certs for GitHub Domains

Aug 29, 2016
A Chinese certificate authority (CA) appeared to be making a significant security blunder by handing out duplicate SSL certificates for a base domain if someone just has control over its any subdomain. The certificate authority, named WoSign , issued a base certificate for the Github domains to an unnamed GitHub user. But How? First of all, do you know, the traditional Digital Certificate Management System is the weakest link on the Internet today and has already been broken? Billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe to ensure the confidentiality and integrity of their personal data. But, these CAs have powers to issue valid SSL cert for any domain you own, despite the fact you already have one purchased from another CA. ...and that's the biggest loophole in the CA system. In the latest case as well, WoSign issued a duplicate SSL certificate for GitHub domains without verifying ownership of the base domain. ...
Github accounts Hacked in 'Password reuse attack'

Github accounts Hacked in 'Password reuse attack'

Jun 17, 2016
Popular code repository site GitHub is warning that a number of users' accounts have been compromised by unknown hackers reusing email addresses and passwords obtained from other recent data breaches . Yes, GitHub has become the latest target of a password reuse attack after Facebook CEO Mark Zuckerberg and Twitter . According to a blog post published by Shawn Davenport, VP of Security at GitHub, an unknown attacker using a list of email addresses and passwords obtained from the data breach of " other online services " made a significant number of login attempts to GitHub's repository on June 14. After reviewing the logins, administrators at GitHub found that the attacker had gained access to a number of its users' accounts in order to gain illicit access to their accounts' data. Although the initial source of the leaked credentials isn't clear, the recent widespread "megabreaches" of LinkedIn , MySpace , Tumblr , and the dating site Fling, ...
Facebook Open Sources its Capture the Flag (CTF) Platform

Facebook Open Sources its Capture the Flag (CTF) Platform

May 11, 2016
Hacking into computer, networks and websites could easily land you in jail. But what if you could freely test and practice your hacking skills in a legally safe environment? Facebook just open-sourced its Capture The Flag (CTF) platform to encourage students as well as developers to learn about cyber security and secure coding practices. Capture the Flag hacking competitions are conducted at various cyber security events and conferences, including Def Con, in order to highlight the real-world exploits and cyber attacks. The CTF program is an effective way of identifying young people with exceptional computer skills, as well as teaching beginners about common and advanced exploitation techniques to ensure they develop secure programs that cannot be easily compromised. Facebook  CTF Video Demo: Since 2013, Facebook has itself hosted CTF competitions at events across the world and now, it is opening the platform to masses by releasing its source code on GitHub. "...
British Intelligence Open-Sources its Large-Scale Graph Database Software

British Intelligence Open-Sources its Large-Scale Graph Database Software

Dec 16, 2015
UK's Secretive Spy Agency Government Communications Headquarters (GCHQ) has open-sourced one of its tools on code-sharing website GitHub for free... A graph database called ' Gaffer .' Gaffer , written in Java, is a kind of database that makes it "easy to store large-scale graphs in which the nodes and edges have statistics such as counts, histograms and sketches." Github is a popular coding website that allows software developers to build their project on a single platform equipped with all the requirements that are gone in the making of a software. Gaffer and its Functionalities In short, Gaffer is a framework for creating mass-scale databases, to store and represent data, and is said to be useful for tasks including: Allow the creation of graphs with summarised properties within Accumulo with a very less amount of coding. Allow flexibility of stats that describe the entities and edges. Allow easy addition of nodes and edges. Allo...
Expert Insights / Articles Videos
Cybersecurity Resources