Third-party code

Fraudulent Dependabot commits leveraged for malicious code injection

Hundreds of GitHub repositories have been targeted with fraudulent commits purportedly from GitHub's free automated dependency management tool Dependabot in a bid to facilitate malicious code injections and exfiltrate sensitive project data exfiltration, reports SecurityWeek. Attackers leveraged compromised GitHub personal access tokens to infiltrate repositories and inject malicious code, with fake Dependabot commit messages later used to bypass detection by security systems, according to a Checkmarx report. After delivering the Dependabot commit, threat actors then pushed a workflow file to enable the delivery of GitHub secrets to an external server, as well as altered all .js files to compromise user credentials and password-based forms, reported researchers. "This whole situation teaches us to be careful about where we get our code, even from trusted places like GitHub. This is the first incident we witnessed a threat actor using fake git commits to disguise activity, knowing that many developers do not check the actual changes of Dependabot when they see it," said Checkmarx.

Related

Third-party ransomware attack threatens Sweden’s liquor supply

Swedish government-owned liquor retailer Systembolaget, which is the country's lone vendor of alcoholic beverages, has warned of a shortage of some beers, wines, and spirits across the country following a ransomware attack against its distributor Skanlog, which its CEO Mona Zuko has attributed to a North Korean state-sponsored threat operation, according to The Record, a news site by cybersecurity firm Recorded Future.

Abusing GitHub flaw could compromise GitLab

Open-source DevOps software project GitLab has also been impacted by the same security issue in GitHub comments that has been exploited by threat actors through Microsoft repository-linked URLs to facilitate the distribution of malware that was made to seem to originate from credible entities' official source code repositories, according to BleepingComputer.

GitHub search exploited for malware distribution

Malware-laced GitHub repositories using popular names and topics are being advanced by threat actors through automated updates and fraudulent stars meant to manipulate the leading software developer platform's search rankings as part of a new open-source supply chain attack, The Hacker News reports.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.