GitHub repos bombarded by info-stealing commits masked as Dependabot


In order to obtain developers’ passwords and authentication keys, hackers are breaking into their GitHub accounts and injecting malicious code that looks like Dependabot contributions. Researchers first became aware of the campaign in July 2023 when they found strange changes on hundreds of public and private repositories that had been fabricated to seem like Dependabot commits.

A GitHub-provided automated tool called Dependabot searches projects for weak dependencies and then generates pull requests to install the upgraded versions. Using stolen GitHub access tokens, the attackers were able to create these bogus Dependabot contributions, as disclosed today by Checkmarx, with the intention of introducing malicious code to steal the project’s trade secrets.

Read More…