Skip to content Skip to footer

GitHub Enables Secret Scanning Push Protection for Public Repositories

has recently announced that it will be enabling secret scanning push protection by default for all pushes to public repositories. This new feature will allow users to remove the secret from their commits or bypass the block if they consider it safe whenever a supported secret is detected in any push to a public repository.

Eric Tooley and Courtney Claessens explained that push protection was first piloted as an opt-in feature in August 2023, following months of testing since April 2022. It became generally available in May 2023. The secret scanning feature is designed to identify over 200 token types and patterns from more than 180 service providers to prevent their fraudulent use by malicious actors.

This development comes almost five months after the subsidiary expanded secret scanning to include validity checks for popular services such as Amazon Services (AWS), , , and Slack. It also follows the discovery of an ongoing “repo confusion” attack targeting , which has been inundating the source code platform with thousands of repositories containing obfuscated capable of stealing passwords and cryptocurrency from developer devices.

These attacks represent another wave of the same distribution campaign disclosed by Phylum and Trend Micro last year. The attackers leveraged bogus Python packages hosted on the cloned, trojanized repositories to deliver a stealer called BlackCap Grabber. “Repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well,” Apiiro said in a report this week.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Dade: What is it with this guy?
- Phreak: His parents missed Woodstock, and he's been making up for it since.
Dade & Phreak

Deitasoft © 2024. All Rights Reserved.