GitHub repos bombarded by info-stealing commits masked as Dependabot

In order to obtain developers’ passwords and authentication keys, hackers are breaking into their GitHub accounts and injecting malicious code that looks like Dependabot contributions. Researchers first became aware of the campaign in July 2023 when they found strange changes on hundreds of public and private repositories that had been fabricated to seem like Dependabot commits.

A GitHub-provided automated tool called Dependabot searches projects for weak dependencies and then generates pull requests to install the upgraded versions. Using stolen GitHub access tokens, the attackers were able to create these bogus Dependabot contributions, as disclosed today by Checkmarx, with the intention of introducing malicious code to steal the project’s trade secrets.

GitHub repos bombarded by info-stealing commits masked as Dependabot

Solutions

Services

Services

Knowledge

Solutions

Industries

Contact

Invinsense

About

INDIA | Ahmedabad

SRI LANKA

KUWAIT

USA | New York

UNITED KINGDOM | London

Address

GitHub repos bombarded by info-stealing commits masked as Dependabot

27-Sep-23

Solutions

Services

Services

Knowledge

Solutions

Industries

Contact

Invinsense

About

INDIA | Ahmedabad

SRI LANKA

KUWAIT

USA | New York

UNITED KINGDOM | London

Address