"GitHub Repos Bombarded by Info-Stealing Commits Masked as Dependabot"
To steal authentication secrets and credentials from developers, hackers are compromising GitHub accounts and inserting malicious code disguised as Dependabot contributions. In July 2023, researchers discovered strange commits on hundreds of public and private repositories that were made to appear as Dependabot commits. Dependabot is an automated GitHub tool that scans projects for vulnerable dependencies and automatically issues pull requests to install updated versions. According to Checkmarx, the fake Dependabot contributions were enabled by the theft of GitHub access tokens, with the attackers' intent being to inject malicious code in order to steal the project's secrets. This article continues to discuss hackers breaching GitHub accounts and inserting malicious code disguised as Dependabot commits.
Bleeping Computer reports "GitHub Repos Bombarded by Info-Stealing Commits Masked as Dependabot"
Submitted by grigby1