#GitHub
28 stories taggedGitHub.

OpenMandriva Linux Says Angry Contributor Wiped Years of Work
A developer with admin keys deleted repositories and pushed a package that could have broken user systems, after a dispute over the project's direction.

Poisoned Injective SDK on npm quietly stole crypto wallet keys for hours
A hijacked contributor account on GitHub pushed a booby-trapped version of a popular blockchain toolkit, siphoning seed phrases from any developer who ran the wrong function.

Old, Silent GitHub Accounts Are Being Used to Quietly Map Companies
Datadog Security Labs says several overlapping scraping campaigns are cataloguing corporate GitHub organisations using dormant 'ghost' accounts and stolen tokens.

npm 12 Turns Off Auto-Run Install Scripts to Blunt Supply Chain Attacks
GitHub's package manager for JavaScript now ships with a safer default, and it retires a token type that let developers skip two-factor login.

Criminals Are Using GitHub's Own Public Tools to Map Your Company Before They Strike
Researchers at Datadog tracked months of quiet, automated snooping across GitHub that blends perfectly into normal traffic, and most organisations never notice it happening.

A Hidden Note in a Bug Report Tricked GitHub's AI Into Leaking Company Secrets
Researchers showed how a single crafted message in a public GitHub issue could fool an AI assistant into reading private code and posting it online for anyone to see.

GitHub's Green 'Verified' Badge Can Lie: Signed Commits Cloned Without the Key
Researchers show anyone can produce a second signed commit that matches the author, date and files of a real one, keeping GitHub's Verified stamp while changing the unique fingerprint developers rely on.

Researchers Show How a Fake GitHub Comment Can Trick AI Tools Into Leaking Secret Code
A crafted public comment on GitHub can manipulate AI-powered automation into handing over data from private repositories, no password required.

A Hidden Command in a GitHub Issue Can Silently Steal a Company's Private Code
Researchers found a flaw in GitHub's AI automation tool that lets an outsider read an organisation's private repositories by hiding plain-English instructions inside a public bug report.

ChocoPoC: The Fake Exploit Repos Turning Bug Hunters Into Victims
A Python-based infostealer is hiding inside GitHub proof-of-concept code marketed to vulnerability researchers, siphoning credentials, cookies, and files before dropping a remote shell.

ChocoPoC RAT Hides in Fake GitHub Exploits, Targets Security Researchers
A cluster of trojanized proof-of-concept repositories is pushing a Python-based RAT to the very people who go looking for them.

GitHub Hardens actions/checkout Against Pwn Request Exploits
Blocking malicious code execution from pull_request_target workflows.

GitHub Tightens Security to Counter Pwn Request Attacks
GitHub introduces actions/checkout v7 to block insecure pull request workflows.

npm 12 Pulls the Plug on Install Scripts by Default
GitHub is finally turning off the lifecycle hook that's been quietly powering half a decade of supply chain attacks.

GitHub's npm Overhaul: No More Automatic Install Scripts
GitHub reshapes npm with default script blocking, aiming to tighten software supply chain security.