GitHub is investigating unauthorized access to their internal repositories

Posted by splenditer 4 hours ago

GitHub is investigating unauthorized access to their internal repositories(twitter.com)

222 points | 61 comments

vldszn 3 hours ago|

GitHub: "We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity."

TZubiri 2 hours ago|

It reminds me of the famous "mistakes were made" Nixon quote.

"We are investigating unauthorized access" sounds much better than "we've been hacked"

tomkarho 2 minutes ago|||

This reminds me of George Carlin standup routine about PTSD. If you want to make any bad news sound less bad, just wrap the concept around complicated jargon to sterilize it.

vldszn 1 hour ago|||

Exactly =)

tiffanyh 2 hours ago||

Is Twitter/X the right channel to announce a security event like this?

I ask because I don’t see anything posted on their official blog or status page.

https://github.blog/

https://www.githubstatus.com/

lynndotpy 13 minutes ago||

It's certainly not the right platform. It'd be one thing if they had any official communication on the matter anywhere else. Maybe they're ashamed and are trying to limit the visibility while only technically issuing an announcement.

They announced this exclusively on X.com, which ranks barely above Pinterest in terms of usage. That's below Reddit, Snapchat, WeChat, and Instagram, and requires a user account to view profiles and posts. And that's ignoring all the reasons X is a divisive platform with an extreme political bent.

GitHub chose not to announce this on any other social media either (BlueSky, Facebook, TikTok, YouTube, LinkedIn, or Mastodon, as of this posting, and with no emails sent on the matter.)

cebert 2 hours ago|||

It’s a very popular messaging platform for tech enthusiasts.

ignu 15 minutes ago|||

also a very popular messaging platform for [redacted] enthusiasts

yallpendantools 1 hour ago|||

So? Is this where your corporate paying clients should find out about an issue of this severity?

Not to mention Twitter is not an open platform anymore! (A) I'm an employee in an organization paying for Github. (B) I don't have a Twitter account. I already have a Github account because of (A). Why should (B) stop/delay me from getting official comms about this?

zdragnar 38 minutes ago|||

I can't imagine they'd spam every account with an email address, though an email to organization owners would make more sense.

yallpendantools 31 minutes ago||

> I can't imagine they'd spam every account with an email address

It's not "spam" if it is relevant to me, such as security incident disclosures.

Also, as tiffanyh pointed out, what's wrong with Github blog or is that exclusively for marketing fluff now? That would've been appropriate enough, without having to spend Sendgrid credits.

insanitybit 1 hour ago|||

Isn't it the first stop for the USG at this point? I mean, I wish the world were a different place but here we are.

niyikiza 30 minutes ago||

Probably the best option after sending a mass email when customers need to take action. The status page is for reliability issues impacting end users & the blog is for in-depth analysis.

uzyn 3 hours ago||

The security issue aside, seeing more companies push announcements like these on X as the only official source is a trend I'm not sure I like.

I can understand the rationale, this feels lighter and not something that belongs on status.github.com or the blog. Maybe what's actually missing is an official channel for ephemeral stuff on a domain they own, somewhere between a status page and a tweet? Just sharing an observation.

niyikiza 29 minutes ago|

My understanding is that when it's something that requires user action they'd directly send comms to customers.

keyle 2 hours ago||

This is bad. If they came out announcing this, without a long winded explanation and further details, it's because they're staring at a bottomless pit and they haven't put the lid on it yet.

For a Fortune 100, to go out of your way to spook investors is the least desirable approach.

eli 2 hours ago|

Letting people know promptly is also the right thing to do and probably mandated by (at least some) customer contracts. You can't tell just some people; it would leak anyway.

bananamogul 26 minutes ago||

I have a hard time believing this because there was never enough GitHub uptime to carry out the attack.

vldszn 3 hours ago||

- Use Static analysis for GHA to catch security issues: https://github.com/zizmorcore/zizmor

- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...

- add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act...

keyle 2 hours ago||

The only way to 'harden your github actions' is to not use github actions.

vldszn 2 hours ago||

Makes sense tbh :)

robbiet480 1 hour ago|||

Thanks for making me aware of zizmor, just ran and fixed all issues on our core repos.

vldszn 1 hour ago||

You are welcome! Recently discovered it and found it genuinely useful. Fixed a bunch of issues in my workflows too :)

benoau 3 hours ago||

You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it *may be executed lmfao.

edited: not "will", may depending on your GHA

CGamesPlay 3 hours ago|||

Can you cite this? It's not YAML execution syntax, surely Github doesn't do it, the only vector I can see is if you put it unquoted into a shell script inside of a GHA yaml.

theteapot 2 hours ago|||

I think he means template-injection -- https://woodruffw.github.io/zizmor/audits/#template-injectio...

benoau 1 hour ago||

Yes that's it.

benoau 1 hour ago|||

https://github.com/orgs/community/discussions/27065

https://stackoverflow.com/questions/77090044/github-actions-...

https://www.praetorian.com/blog/pwn-request-hacking-microsof...

All you need is user content containing `backticked`, and a github action referencing that via eg "github.event.issue.title" where the shell would normally execute `backticked` as a command (like echo, cat, etc).

vldszn 3 hours ago|||

Maybe zizmor could catch this https://github.com/zizmorcore/zizmor but not sure 100%

insanitybit 1 hour ago||

Yeah, zizmor checks for template injection.

vldszn 1 hour ago||

Nice

buryat 1 hour ago||

Sympathy to engineers and everyone at github, it's good that they're being open even if findings are limited. I'm sure they will figure out the root cause and will publish results to be a learning experience for everyone else

dijksterhuis 3 hours ago||

non-twitter link: https://xcancel.com/github/status/2056884788179726685#m

shevy-java 7 minutes ago||

As some of us stated in the last weeks: Microsoft is working hard to get people to reconsider GitHub. All those small issues keep on adding up. Something is seriously flawed at Microsoft here - those problems did not exist in that way 2 or 3 years ago. It coincides with the rise of AI.

MallocVoidstar 2 hours ago|

https://pbs.twimg.com/media/HItbXhvW4AAMD8W?format=jpg&name=...

All of their repos have been copied and are up for sale. Attackers are TeamPCP, the creators of the Shai-Hulud malware.

mpetrovich 1 hour ago|

If that’s true and they do intend on shredding their copy on sale, what stops GitHub from buying it back themselves? (through a proxy, obv)

neom 22 minutes ago|||

Nothing, this is one of the most common types of ransomware going on right now, exfiltration only extortion.

ferguess_k 1 hour ago|||

I probably wouldn't believe that "shredding". Also there will be legal consequences I think?

More comments...