A poisoned VS Code extension breached GitHub’s internal repositories. Around 3,800 repos may be exposed as GitHub rotates secrets and investigates the attack. A single employee’s device. That was the way in. GitHub confirmed it detected and contained a compromise involving a poisoned VS Code extension installed on an internal device. The malicious extension version […]
The post GitHub Got Hit Through a Poisoned VS Code Extension Nobody Saw Coming appeared first on Live Bitcoin News.
Microsoft’s GitHub has suffered what appears to be its biggest ever security breach after confirming that attackers exfiltrated code from around 3,800 of the company’s internal repositories.
News of the incident first emerged on May 19, when GitHub said it was investigating “unauthorized access.” Hours later, the company’s X account confirmed the worst:
“Yesterday we detected and contained a compromise of an employee device involving a poisoned VS [Visual Studio] Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” GitHub said.
“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”
GitHub added: “We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants.” Th
A self-replicating worm that hijacks GitHub Actions pipelines to publish malicious npm packages has struck again, compromising AntV, echarts-for-react, and Microsoft’s durabletask SDK. Mini Shai-Hulud Exploits GitHub Actions to Hit 16 Million Weekly Downloads The Mini Shai-Hulud campaign, attributed to the threat group Team PCP, does not work the way most supply chain attacks do […]
GitHub has confirmed that thousands of its internal repositories were accessed without authorization, prompting fresh warnings from Binance founder Changpeng “CZ” Zhao for crypto developers to immediately rotate API keys stored in code repositories. According to a statement published by…
This incident underscores the critical need for robust security practices in managing cloud credentials, highlighting potential supply chain vulnerabilities.
The post CISA exposed plaintext passwords and cloud keys on GitHub for six months appeared first on Crypto Briefing.
Faced with the growing volume of submission to its bug bounty program, GitHub is replacing cash bounties with swag rewards for reports with low security impact — and asking researchers to stop submitting reports that are low quality or about things that aren’t its fault.
The cloud-based code repository platform has seen a sharp increase in submissions that don’t demonstrate real security impact over the past year due to newer tools such as generative AI.
“Not every valid submission represents a meaningful security risk. Some reports identify hardening opportunities or documentation gaps,” Jarom Brown, a senior security researcher at GitHub, wrote in a blog post.
On top of that, he said, many of the reports GitHub receives describe out-of-scope scenarios in which someone experiences an “undesirable” outcome after interacting with malicious content in GitHub.
“These reports are often well-written and technically accurate in their observations, but they misunderstand where the security bo
