May 21, 2024 at 01:22PM GitHub has addressed a critical flaw (CVE-2024-4985) in GitHub Enterprise Server, allowing unauthorized access on instances using SAML SSO with encrypted assertions. The issue affects versions prior to 3.13.0 and has been fixed in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. Organizations using vulnerable versions are advised to update for security. … Read more
May 20, 2024 at 06:54AM A recent malvertising and cryptocurrency-related campaign uses legitimate services like GitHub and FileZilla to distribute various malware, targeting Android, macOS, and Windows. The campaign, attributed to Russian-speaking threat actors, involves multiple malware variants, including RedLine, Vidar, and DanaBot. This method increases the efficiency of attacks by abusing authentic internet services. … Read more
April 11, 2024 at 10:27AM GitGuardian’s 2023 and 2024 reports revealed significant security concerns in public repositories. The 2024 report found 12.8 million new exposed secrets on GitHub and highlighted security risks in PyPI. The report emphasizes the prevalence of open-source packages and stresses the importance of proper secret management to prevent potential exploitation. After … Read more
April 9, 2024 at 04:24PM A critical security vulnerability, tracked as CVE-2024-24576, allows threat actors to exploit Rust’s standard library to execute malicious commands on Windows systems. GitHub rates this flaw with a maximum CVSS base score of 10/10. The Rust security team faced challenges in resolving the issue, prompting an urge from the White … Read more
March 21, 2024 at 08:15AM GitHub introduced the public beta of code scanning autofix, leveraging Copilot and CodeQL AI tools to spot and suggest fixes for vulnerabilities in JavaScript, Typescript, Java, and Python repositories. The feature aims to expedite bug resolution and lessen unaddressed vulnerabilities, benefitting both developers and security teams. It is now in … Read more
March 21, 2024 at 07:42AM GitHub announced the availability of a new feature called code scanning autofix for Advanced Security customers. It leverages CodeQL, Copilot, and OpenAI GPT-4 to provide code suggestions to fix vulnerabilities in JavaScript, Typescript, Java, and Python. The feature aims to assist developers by generating potential fixes and explanations in natural … Read more
March 20, 2024 at 02:57PM GitHub introduced a new AI-powered feature, Code Scanning Autofix, which automatically provides potential fixes for vulnerabilities in JavaScript, Typescript, Java, and Python. The feature aims to speed up vulnerability fixes, reduce security risks, and reclaim developers’ time. GitHub plans to expand language support and has also enabled push protection for … Read more
March 16, 2024 at 09:21AM Cybersecurity researchers discovered several GitHub repositories containing cracked software used to distribute the RisePro information stealer. The campaign, named gitgub, included 17 repositories taken down by Microsoft-owned subsidiary due to the threat. The RAR archive in the software contains an installer file that deploys the RisePro, a C++-based malware targeting … Read more
March 1, 2024 at 01:09AM GitHub has announced the default activation of secret scanning push protection for all public repository pushes. This feature identifies over 200 token types from more than 180 service providers to prevent fraudulent use. The move comes as a response to ongoing “repo confusion” attacks targeting GitHub, aiming to thwart malicious … Read more
February 29, 2024 at 01:59PM GitHub has introduced push protection by default for all public repositories, preventing accidental exposure of secrets like access tokens and API keys during code pushes. The feature scans for over 200 token types and patterns from 180+ providers and allows users to remove or bypass detected secrets. Push protection is … Read more