As you may know, GitHub has detected a breach.
This was originated by an employee installing a malicious VSCode extension (and no doubt escalated via other mechanisms.)
It transpires that the source code of GitHub has been leaked and is available for sale through crime/privacy friendly networks.
The conclusion is that since source code can itself be analyzed by LLMs, there is a high possibility that vulns and privilege escalations may be discovered that would allow further attacks.
Here are some measures you can take:
1- Go through private repos and ensure there are no secrets.
2- Go through private repos, copy them to another system, and delete the repos.
3- Review privacy policies and settings, consider changing your account type to enterprise (I'd recommend going the opposite direction, but this is an option)
4- Consider not using github for a while.
5- If you are using non-essential Github software like GitHub CLI or vscode extensions, uninstall them. Learn to work with Git CLI if necessary.
6- Consider not downloading binaries from Github repos for a while.
7- Consider not downloading source code from GitHub for a while.
Other general recommendations can help as well:
- Actually check hash digests, and ensure that the hash is distributed by other means than the code.
- Consider using or strengthening alternative signature mechanisms like pgp.
- Do not install stuff through package managers that don't review code. Consider writing the code yourself, read an RFC if necessary, it's ok.
- Consider removing packages from the fishiest to the least. It's a chore, there's never time, but now is a good time as any. If a package is fishy, delete it and replace it with some simple code, if the package is not fishy, consider deleting it.
- Consider planting a canary token in places that are likely to get hacked and get sweet HN points for posting an early PSA
TZubiri•30m ago
The conclusion is that since source code can itself be analyzed by LLMs, there is a high possibility that vulns and privilege escalations may be discovered that would allow further attacks.
Here are some measures you can take:
1- Go through private repos and ensure there are no secrets. 2- Go through private repos, copy them to another system, and delete the repos. 3- Review privacy policies and settings, consider changing your account type to enterprise (I'd recommend going the opposite direction, but this is an option) 4- Consider not using github for a while. 5- If you are using non-essential Github software like GitHub CLI or vscode extensions, uninstall them. Learn to work with Git CLI if necessary. 6- Consider not downloading binaries from Github repos for a while. 7- Consider not downloading source code from GitHub for a while.
Other general recommendations can help as well: - Actually check hash digests, and ensure that the hash is distributed by other means than the code. - Consider using or strengthening alternative signature mechanisms like pgp. - Do not install stuff through package managers that don't review code. Consider writing the code yourself, read an RFC if necessary, it's ok. - Consider removing packages from the fishiest to the least. It's a chore, there's never time, but now is a good time as any. If a package is fishy, delete it and replace it with some simple code, if the package is not fishy, consider deleting it. - Consider planting a canary token in places that are likely to get hacked and get sweet HN points for posting an early PSA
Stay safe.