THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More

CodeQLEAKED: GitHub Supply Chain Attack Enables Code Execution via CodeQL Repositories

A recent discovery has revealed a potential supply chain attack vulnerability in GitHub’s CodeQL repositories, which could have led to wide-ranging consequences for hundreds of thousands of GitHub users. The exploit hinges on a publicly exposed secret found in a… Read more → The post CodeQLEAKED: GitHub Supply Chain Attack Enables Code Execution via CodeQL Repositories appeared first on IT Security News.

CodeQLEAKED - Public Secrets Exposure Leads toSupply Chain Attack on GitHub CodeQL

A potential supply chain attack on GitHub CodeQL started simply: a publicly exposed secret, valid for 1.022 seconds at a time. In that second, an attacker could take a series of steps that would allow them to execute code within a GitHub Actions workflow in most repositories using CodeQL, GitHub’s code analysis engine trusted by hundreds of thousands of repositories. The impact would reach both public GitHub (GitHub Cloud) and GitHub Enterprise.…

CodeQLEAKED – Public Secrets Exposure Leads to Supply Chain Attack on GitHub CodeQL

A potential supply chain attack on GitHub CodeQL started simply: a publicly exposed secret, valid for 1.022 seconds at a time. In that second, an attacker could take a series of steps that would allow them to execute code within a GitHub Actions workflow in most repositories using CodeQL, GitHub’s code analysis engine trusted by The post CodeQLEAKED – Public Secrets Exposure Leads to Supply Chain Attack on GitHub CodeQL appeared first on Praetori

How NixOS and reproducible builds could have detected the xz backdoor for the benefit of all – OSnews

Some more light reading: While it was already established that the open source supply chain was often the target of malicious actors, what is stunning is the amount of energy invested by Jia Tan to gain the trust of the maintainer of the xz project, acquire push access to the repository and then among other perfectly legitimate contributions insert – piece by piece – the code for a very sophisticated and obfuscated backdoor. This should be a wa…

StepSecurity has discovered malicious code in the open source tool tj-actions/changed-files. The code placed sensitive data such as AWS keys and GitHub tokens in log files. This vulnerability was reported in mid-March. The malicious code was removed, but compromised logs could continue to be publicly visible. The attackers used a stolen access token of the @tj-actions-bot. How this was compromised is unclear. GitHub has the

THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More

A quiet tweak in a popular open-source tool opened the door to a supply chain breachwhat started as a targeted attack quickly spiraled, exposing secrets across countless projects.That wasnt the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and controlwhile hiding in plain sight. And over 300 Android apps joined the chaos, running ad