August 22, 2024 at 02:00AM GitHub has addressed three security flaws in its Enterprise Server product, including a critical bug (CVE-2024-6800) that could grant an attacker site administrator privileges. Two medium-severity flaws have also been resolved (CVE-2024-7711, CVE-2024-6337). Users are urged to update to the latest versions (3.13.3, 3.12.8, 3.11.14, and 3.10.16) to mitigate potential … Read more
August 15, 2024 at 05:09AM GitHub has launched Copilot Autofix, an AI-powered vulnerability remediation feature. It offers fix suggestions for various security defects, helping developers to address bugs in their code faster. During the public beta, it was found that developers were fixing vulnerabilities more than three times faster than manually. It will be available … Read more
August 14, 2024 at 01:31PM Researchers discovered an attack exploiting GitHub Actions artifacts, affecting open source projects of major companies like Google, Microsoft, and Amazon. This could have compromised millions of consumers, leaking tokens and allowing malicious actors to push code to production. The findings underscore the need for a holistic security approach and reevaluation … Read more
July 15, 2024 at 01:06PM Cybersecurity researchers found a leaked GitHub token that could have enabled elevated access to Python repositories. JFrog discovered the token in a public Docker container and immediately revoked it after disclosure. Checkmarx also uncovered malicious packages on PyPI designed to extract sensitive information to a Telegram bot. No evidence shows … Read more
July 9, 2024 at 12:13PM Cyberattackers are targeting JavaScript developers with a supply chain attack distributing Trojanized jQuery packages across GitHub, npm, and jsDelivr repositories. The attackers exhibit an unusual lack of nomenclature and attribution, with a manual assembly and publication of each package. The attack, requiring specific user actions to trigger, emphasizes the need … Read more
July 8, 2024 at 05:43PM A new cyber espionage actor, “CloudSorcerer,” is targeting Russian government organizations with sophisticated malware, leveraging public cloud services for C2 and purposes. The group’s primary malware tool has multiple functions including covert monitoring and data collection, and it dynamically adapts its behavior based on its execution context, posing a challenge … Read more
July 1, 2024 at 10:06AM Google has introduced kvmCTF, a bug bounty program for the KVM hypervisor, offering significant rewards for vulnerabilities. Participants can attempt to conduct guest-to-host attacks in a lab environment, with potential payouts including $250,000 for a full VM escape. The program aims to enhance the security of widely used virtualization technology. … Read more
June 30, 2024 at 10:43AM The ‘ip’ open-source project’s GitHub repository was archived by its developer, Fedor Indutny, due to dubious or bogus CVE reports being filed against it. The ‘node-ip’ GitHub repository was also made read-only, limiting interactions. Indutny disputed the severity of the CVE and raised concerns about the influx of unverified vulnerability … Read more
June 30, 2024 at 10:35AM The widely used ‘ip’ open-source project had its GitHub repository made “read-only” after developer Fedor Indutny received a dubious CVE report and experienced increased scrutiny due to a vulnerability in the ‘node-ip’ project, affecting JavaScript developers. This pattern of inflated CVE reports is causing frustration for developers and clouding the … Read more
June 12, 2024 at 08:06AM GitHub’s bug bounty program, established 10 years ago, has paid out over $4 million. In 2023, the program reached this milestone and saw its largest single reward of $75,000 for a vulnerability. The total payout exceeded $850,000 in 2023, with GitHub aiming to enhance payout processes and public disclosures in … Read more