< ciso
brief />
Tag Banner

All news with #github tag

136 articles · page 3 of 7

Grafana GitHub Token Breach Exposes Codebase Access

🔒 Grafana disclosed that an unauthorized party obtained a token that allowed access to its GitHub environment and the download of parts of its codebase. The company says no customer data or personal information were accessed and that it launched a forensic investigation, invalidated the compromised credentials, and implemented additional security controls. The attacker attempted to extort Grafana, demanding payment to avoid publishing stolen material, but the company declined to pay following FBI guidance. Reports link the claim to CoinbaseCartel, a recent data‑extortion group.
read more →

TanStack npm Compromise in Mini Shai‑Hulud Supply Attack

⚠️ Socket reports a wave of the Mini Shai‑Hulud campaign modified 84 npm artifacts in the @tanstack namespace on 11 May 2026, inserting a heavily obfuscated credential‑stealing payload. Attackers abused GitHub Actions via the pull_request_target pattern, cache poisoning and runtime OIDC token extraction to hijack release pipelines. Affected packages included high‑download modules like @tanstack/react-router, and the GitHub Advisory Database rated the incident critical.
read more →

EtherRAT Campaign Spoofs Admin Tools via GitHub SEO

🛡️ Atos Threat Research Center disclosed in March 2026 a resilient campaign delivering a JavaScript RAT named EtherRAT via SEO-poisoned GitHub facades. The adversary places benign-looking README storefronts that link to hidden repositories hosting malicious MSI installers impersonating common administrative tools used by admins, DevOps, and security analysts. Payloads download Node.js at runtime and use an Ethereum smart contract queried through public RPC endpoints to resolve live C2 addresses, enabling rapid operator-driven server rotation and evasion of classic takedown techniques. Atos provides IoCs, technical analysis, and mitigation advice including blocking public ETH RPC access and enforcing verified tool provenance.
read more →

GitHub fixes RCE that exposed millions of private repos

🛡️ GitHub patched a critical remote code execution bug, CVE-2026-3854, reported by Wiz on March 4, 2026, that could have allowed attackers to access millions of private repositories. The company reproduced the issue within 40 minutes and deployed a fix to GitHub.com in under two hours. The flaw affected GitHub.com and multiple Enterprise offerings and could be triggered by a single crafted git push that injects unsafe metadata fields. GitHub’s forensic review found no evidence of exploitation prior to the researcher disclosure, and patches for GitHub Enterprise Server releases are available now; administrators are urged to upgrade immediately.
read more →

Critical GitHub RCE Vulnerability Exposed Millions of Repos

🔓 GitHub patched a critical remote code execution flaw (CVE-2026-3854) that allowed authenticated users to inject commands via crafted git push operations. Discovered by Wiz, the issue abused an internal X-STAT component in GitHub’s server-side processing and earned one of the highest bug-bounty payouts. Cloud services were patched quickly and fixes for GitHub Enterprise Server versions 3.14.25 through 3.20.0 were released, but Wiz reported that 88% of Enterprise Server instances remained exposed at disclosure. Enterprise customers are urged to apply vendor patches immediately.
read more →

Critical GitHub RCE CVE-2026-3854 Can Be Triggered by Push

🔒 GitHub patched a critical command-injection vulnerability, CVE-2026-3854, that allowed an authenticated user with push access to achieve remote code execution via a single git push. Researchers at Wiz disclosed the issue on March 4, 2026, and GitHub deployed a fix to GitHub.com within two hours while releasing updates for GitHub Enterprise Server. The flaw resulted from insufficient sanitization of git push options incorporated into the internal X-Stat header, enabling injection of metadata fields to override execution controls. Administrators should apply the provided GHES updates immediately.
read more →

Checkmarx Confirms LAPSUS$ Leak of Stolen GitHub Data

🔒 Checkmarx confirmed that the LAPSUS$ group published data taken from its private GitHub repository after a March 23 supply-chain compromise tied to the Trivy incident. Investigators say credentials harvested from that earlier intrusion enabled repository access and the insertion of malicious code. On April 22 attackers published malicious Docker images and VSCode/Open VSX extensions for Checkmarx’s KICS scanner that collected credentials, keys, tokens, and config files. Checkmarx states the 96GB leak originated from its GitHub, contains no customer data, and is under forensic review while the repository remains locked.
read more →

Trojanized Bitwarden CLI in Supply Chain Attack Uncovered

🛡️ A malicious npm release of the Bitwarden CLI (version 2026.4.0) was briefly published after attackers compromised a GitHub Action in the project's CI/CD pipeline. The trojanized package included a loader that installs bun and executes a payload designed to harvest cloud, development, and CI credentials. Bitwarden reported no evidence of user vault access and the package was removed within roughly 1.5 hours, with compromised access revoked and remediation initiated.
read more →

Bitwarden CLI npm Package Compromised to Steal Keys

🔒 The Bitwarden CLI @bitwarden/cli npm package was briefly compromised when attackers published a malicious v2026.4.0 release on April 22, 2026. The injected payload harvested developer secrets — including npm and GitHub tokens, SSH keys, and cloud credentials — and contained self‑propagation capability to infect other packages. Bitwarden confirmed only the npm distribution channel was affected, found no evidence of vault or production data access, revoked compromised access, deprecated the release, and initiated remediation; affected developers should rotate exposed credentials.
read more →

Supply Chain Breach Compromises Checkmarx KICS Artifacts

🔐 Checkmarx's KICS Docker images and VS Code/Open VSX extensions were trojanized to harvest developer secrets. Dependency security firm Socket investigated after Docker alerted them to malicious images pushed to the official checkmarx/kics repository and found an embedded MCP addon that downloaded a credential-stealing module (mcpAddon.js). The malware targeted GitHub tokens, cloud credentials, npm tokens, SSH keys, Claude configs and environment variables, encrypting and exfiltrating them to audit.checkmarx.cx while creating public GitHub repositories to receive stolen data. Checkmarx removed the artifacts, rotated exposed credentials and advised developers to rotate secrets, pin image SHAs and rebuild from trusted sources.
read more →

Bitwarden CLI Compromised via Checkmarx Supply-Chain Attack

🔒 JFrog and Socket report that the Bitwarden CLI package @bitwarden/cli@2026.4.0 was briefly published with malicious code in a file named bw1.js, following a compromised GitHub Action in Bitwarden’s CI/CD pipeline. The rogue release was designed to harvest GitHub/npm tokens, .ssh keys, .env files, shell history and other secrets, then exfiltrate them to private domains and via GitHub commits. Bitwarden confirmed the incident, stated there is no evidence that end-user vault data or production systems were accessed, and said the malicious npm release was deprecated, compromised access revoked, remediation steps initiated, and a CVE is being issued.
read more →

The Threat Hunter’s Gambit: Skills, Signals, and Risks

🔍 William Largent frames threat hunting as a discipline akin to strategy games, where pattern recognition, prediction, and spotting feints reveal an adversary's intent. Cisco Talos warns of a growing Platform-as-a-Proxy (PaaP) tactic in which attackers weaponize legitimate SaaS notification pipelines such as GitHub and Jira to deliver authenticated phishing that circumvents SPF, DKIM, and DMARC. Because users habitually trust system-generated alerts, defenders should adopt zero‑trust controls, ingest SaaS API logs into SIEMs, and require out‑of‑band verification for high-risk actions.
read more →

Using AI Agents to Detect Documentation Breakage in OSS

🤖 Drasi's team turned documentation testing into a monitoring problem by running AI-driven synthetic users that follow tutorials verbatim inside Dev Containers using the GitHub Copilot CLI. The agent is naïve, literal, and unforgiving: it executes commands exactly, verifies outputs, and captures screenshots, terminal logs, and a final markdown report. Weekly automated runs detect silent drift and environment regressions; failures automatically file issues with reproducible artifacts.
read more →

Microsoft Suspends Dev Accounts for Open-Source Projects

⚠️ Microsoft has suspended developer accounts used to maintain multiple high-profile open-source projects, blocking them from publishing Windows builds and security patches without prior notice or a quick reinstatement path. Affected projects include WireGuard, VeraCrypt, MemTest86, and Windscribe. Maintainers report no emails, warnings, or clear appeals process and say they can still publish Linux and macOS updates but not Windows releases. Microsoft said accounts were automatically suspended for failing mandatory verification for the Windows Hardware Program and that outreach and press attention have prompted follow-up from company representatives.
read more →

Weaponizing SaaS Notification Pipelines for Phishing

🔔 Cisco Talos observed a rise in campaigns that weaponize SaaS notification pipelines in collaboration platforms to deliver phishing and credential‑harvesting lures. Attackers embed malicious content in GitHub commit messages and in user‑configurable Jira project fields so automated notifications, signed by the platforms, bypass SPF, DKIM, and DMARC checks. Talos describes this as a Platform‑as‑a‑Proxy (PaaP) abuse and recommends moving to Zero‑Trust, instance‑level verification, and API telemetry to detect and block these attacks.
read more →

DPRK-Linked LNK Campaigns Leveraging GitHub for C2

🔒 FortiGuard Labs identified a multi-stage campaign using malicious LNK shortcut files that target Microsoft Windows users in South Korea. The attacker embeds decoding routines inside LNK arguments to drop a decoy PDF while executing hidden PowerShell payloads. Those scripts perform anti-analysis checks, establish persistence via Scheduled Tasks and VBScript, and use GitHub API calls as a covert C2 and exfiltration channel. Fortinet signatures detect these components and block the activity.
read more →

GitHub Used as Covert Channel in Multi-Stage Malware

🔒 A multi-stage malware campaign leveraging GitHub as a covert C2 channel has been observed targeting users in South Korea, according to an advisory from Fortinet. Attackers distribute malicious .LNK shortcut files that drop decoy PDFs while executing obfuscated PowerShell and VBScript payloads silently in the background. Recent variants embed decoding routines directly within LNK arguments, remove identifying metadata, and exfiltrate system information and logs to GitHub repositories using hardcoded tokens. The campaign exemplifies modern living-off-the-land tactics that abuse legitimate Windows utilities and developer infrastructure to evade detection.
read more →

Fake VS Code Security Alerts on GitHub Spread Malware

🚨 A large-scale campaign is abusing GitHub Discussions to post fake Visual Studio Code security advisories that trick developers into downloading malware. The spam posts use realistic titles, fabricated CVE identifiers, impersonated maintainers, and mass tagging to trigger email notifications to watchers. Links often point to external hosts (commonly Google Drive) that redirect to a domain running JavaScript reconnaissance which profiles victims and forwards data to a command-and-control server. Security vendor Socket says the activity is automated and coordinated across thousands of repositories.
read more →

Open VSX Flaw Allowed Malicious VS Code Extensions Live

🛡️ Researchers disclosed a patched bug in Open VSX's pre-publish scanning pipeline that allowed a malicious VS Code extension to pass vetting and go live. The defect, named Open Sesame, arose because a Java service returned a single boolean that conflated 'no scanners configured' with 'scanner failures,' causing failed scans to be treated as harmless. The vulnerability was fixed in Open VSX 0.32.0 after responsible disclosure.
read more →

ThreatsDay Bulletin: PQC Push, AI Bugs, Pirated Backdoors

🔔 This week’s ThreatsDay Bulletin captures a quieter, sneakier cadence: big-picture progress on cryptography and AI set against a steady churn of pragmatic abuse. Google accelerated a PQC migration to 2029 and GitHub is bringing AI-powered detections into the PR workflow, while threat actors keep innovating around trust — using pirated ISOs, fake extensions, firmware implants and clever phishing to scale backdoors, credential theft and fraud. The common thread is operational efficiency: takedowns and disruptions are temporary, but the workflows keep returning.
read more →