GitHub’s 2FA rollout boosts supply chain security

In a push to enhance the security of the software supply chain, GitHub has successfully rolled out mandatory two-factor authentication (2FA) for code contributors on its platform.

GitHub’s 2FA rollout – announced in May 2022 – aimed to address the critical first link in the software supply chain by securing the developers responsible for designing, building, and maintaining the software we all rely on.

The results are in

After a year of meticulous preparation,...

25 April 2024 | Developer

Bitwarden strengthens passwordless authentication with magic links API

Credential management firm Bitwarden has announced an enhancement to its Passwordless.dev platform with the release of a magic links API.

Bitwarden’s latest offering empowers developers to seamlessly integrate passwordless authentication into their applications, providing a more secure and user-friendly experience for end-users.

The magic links API enables developers to send unique one-time-use links via email, allowing users to securely access their accounts or easily...

2 April 2024 | API

PyPI suspends registrations amid malware attack

The Python Package Index (PyPI) has suspended new project creation and user registration to mitigate an ongoing malware upload campaign. This move comes as security researchers at Checkmarx uncovered a campaign involving multiple malicious packages related to the same threat actors.

The attackers are targeting victims through typosquatting attacks, tricking users into installing malicious Python packages through their command-line interface. This multi-stage attack aims to steal...

28 March 2024 | Developer

Google paid $10M to bug hunters in 2023

Google has revealed that it paid out $10 million to over 600 bug hunters from 68 countries in 2023.

Throughout the year, Google's bug hunter community played a pivotal role in identifying and addressing thousands of vulnerabilities across various Google platforms. The company's dedication to incentivising researchers saw the introduction of several new programs and improvements to existing ones.

Among the notable developments was the launch of the Bonus Awards program,...

13 March 2024 | Android

GitHub enables secret scanning push protection by default

In response to the alarming trend of API keys, tokens, and other confidential data being inadvertently exposed, GitHub has taken further steps to fortify its platform against potential breaches.

Within the first two months of 2024, GitHub has uncovered one million leaked secrets across public repositories, averaging over a dozen incidents per minute. Such alarming figures underscore the pressing need for robust safeguards to protect users and their data.

Since August...

1 March 2024 | Developer

GitHub suffers from over 100K infected repos

Developers face a major security threat as over 100,000 repositories on GitHub are infected with malicious code.

This resurgence of a malicious repo confusion campaign – detected by Apiiro’s security researchers – has impacted countless developers who unwittingly use repositories they believe to be trusted but are, in fact, compromised.

Similar to dependency confusion attacks – which exploit package managers – repo confusion attacks rely on human error,...

29 February 2024 | Developer

White House urges adoption of memory-safe programming languages

The White House Office of the National Cyber Director (ONCD) has released a new report today urging the technology industry to take steps to reduce vulnerabilities in software that leave digital systems open to cyberattacks.

The report, titled "Back to the Building Blocks: A Path Toward Secure and Measurable Software," emphasises the importance of technology manufacturers adopting memory-safe programming languages to prevent entire classes of vulnerabilities from entering the...

27 February 2024 | Hacking & Security

Python packages caught using DLL sideloading to bypass security

ReversingLabs researchers have uncovered Python packages using DLL sideloading to bypass security tools.

On 10 January 2024, Karlo Zanki, a reverse engineer at ReversingLabs, stumbled upon two suspicious packages on the Python Package Index (PyPI). These packages – named NP6HelperHttptest and NP6HelperHttper – were found to be utilising DLL sideloading, a known technique used by malicious actors to execute code discreetly and evade detection from security tools.

This...

21 February 2024 | Hacking & Security

OpenText unveils next-gen cybersecurity auditing technology

OpenText has unveiled the second generation of its advanced cybersecurity auditing technology called Fortify Audit Assistant—aiming to help developers build more secure software amid rising threats and complexity in multi-cloud environments.

The key upgrade is the use of predictive analytics and machine learning to emulate human security auditors. By learning from 10 years of human expert data, the new Fortify Audit Assistant significantly improves accuracy and reduces false...

6 February 2024 | Development Tools

GitHub rotates credentials following vulnerability discovery

GitHub has rotated encryption keys following the discovery of a vulnerability that could have enabled threat actors to steal credentials, the company revealed Tuesday.  

The Microsoft-owned firm said it first became aware of the high-severity security flaw tracked as CVE-2024-0200 on 26 December 2023. After investigating the issue and verifying there was no evidence it had been exploited in attacks, GitHub moved swiftly to rotate potentially exposed keys the same day as a...

17 January 2024 | Developer