#github-security

[ follow ]
#credential-compromise #software-supply-chain-attacks #supply-chain-attacks #grafana #cisa #cybersecurity
Information security
fromThe Hacker News
4 hours ago

Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos

A poisoned VS Code extension led to GitHub repository exfiltration, showing evolving software supply chain threats and smarter phishing and botnet activity.
Information security
fromSecurityWeek
3 days ago

Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack

Unauthorized access to Grafana Labs GitHub repositories resulted from a TanStack supply chain attack, leading to token compromise, code theft, and mitigations without customer production impact.
#cisa
fromtheregister
6 days ago
Information security

America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens - and incredibly obvious filenames

Privacy professionals
fromTechzine Global
5 days ago

U.S. cybersecurity agency leaks GovCloud keys on GitHub

Public GitHub exposure revealed CISA-related credentials, including AWS GovCloud administrative keys and plaintext passwords, enabling high-privilege access to internal systems and build environments.
Information security
fromtheregister
6 days ago

America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens - and incredibly obvious filenames

A public GitHub repository exposed CISA secrets for six months, including tokens, keys, credentials, and certificates, until removal after reporting.
more#cisa
Information security
fromThe Hacker News
5 days ago

Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Breach impact was limited to Grafana Labs GitHub repositories, with no evidence of customer production systems or Grafana Cloud operations being compromised.
Information security
fromThe Hacker News
5 days ago

GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories

GitHub is investigating unauthorized access to internal repositories after TeamPCP listed source code and organizations for sale, while monitoring for customer impact.
fromTechRepublic
1 week ago

Grafana Rejects Ransom Demand After GitHub Breach Exposes Codebase Theft

Grafana has confirmed that an unauthorized party gained access to its GitHub environment after obtaining a compromised token, allowing the attacker to download parts of its codebase. In a public statement shared on X, the company said its investigation found no evidence that customer data or personal information was accessed and that no evidence that customer systems or operations were affected. The breach was discovered after unusual activity triggered a forensic investigation.
Information security
Information security
fromTNW | Data-Security
1 week ago

Grafana Labs refuses ransom after hackers steal already-open-source code

Hackers stole Grafana’s open-source codebase and demanded ransom to prevent release; Grafana refused, citing FBI guidance and security controls.
Information security
fromtheregister
1 week ago

Grafana Labs admits all its codebase are belong to someone who popped its GitHub account

An attacker stole Grafana Labs’ GitHub codebase and demanded ransom to prevent release, but Grafana decided not to pay.
Information security
fromThe Hacker News
1 week ago

Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt

An unauthorized party accessed Grafana’s GitHub environment via a stolen token, downloaded code, attempted extortion, and Grafana invalidated credentials and added security measures.
Information security
fromSecurityWeek
2 weeks ago

Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack

A critical CVSS 10/10 vulnerability in Gemini CLI's -yolo mode allowed attackers to inject malicious prompts via GitHub issues, potentially enabling full supply chain compromise through credential theft and unauthorized repository access.
Information security
fromTheregister
2 months ago

Malware-laced OpenClaw installers get Bing AI search boost

Scammers exploited OpenClaw's popularity by creating fake installers on GitHub that appeared in Bing AI search results, distributing information stealers and malware to unsuspecting users.
fromTheregister
6 months ago

AI companies keep publishing private API keys to GitHub

"Some of these leaks could have exposed organizational structures, training data, or even private models," said Wiz threat researchers Shay Berkovich and Rami McCarthy in a blog post. The secrets consist of API keys, tokens, and other digital credentials that are supposed to be kept out of code commits to git repos. But as the security biz noted last month, developers of VS Code extensions keep making their secrets known, a problem that McCarthy has attributed in part to vibe coding.
Information security
Information security
fromInfoWorld
8 months ago

A wake-up call for identity security in devops

OAuth app permissions often lack centralized visibility and governance, enabling attackers to abuse authorized tokens to access code, secrets, and pivot across infrastructure.
Privacy technologies
fromArs Technica
10 months ago

GitHub abused to distribute payloads on behalf of malware-as-a-service

Malware-as-a-service operators have exploited GitHub to distribute malicious software, posing challenges for organizations relying on the platform.
[ Load more ]