| ▲ | GitHub is investigating unauthorized access to their internal repositories(twitter.com) |
| 157 points by splenditer 3 hours ago | 35 comments |
| |
|
| ▲ | vldszn 2 hours ago | parent | next [-] |
| GitHub: "We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity." |
| |
| ▲ | TZubiri 37 minutes ago | parent [-] | | It reminds me of the famous "mistakes were made" Nixon quote. "We are investigating unauthorized access" sounds much better than "we've been hacked" | | |
|
|
| ▲ | keyle an hour ago | parent | prev | next [-] |
| This is bad. If they came out announcing this, without a long winded explanation and further details, it's because they're staring at a bottomless pit and they haven't put the lid on it yet. For a Fortune 100, to go out of your way to spook investors is the least desirable approach. |
| |
| ▲ | eli 36 minutes ago | parent [-] | | Letting people know promptly is also the right thing to do and probably mandated by (at least some) customer contracts. You can't tell just some people; it would leak anyway. |
|
|
| ▲ | dijksterhuis 2 hours ago | parent | prev | next [-] |
| non-twitter link: https://xcancel.com/github/status/2056884788179726685#m |
|
| ▲ | vldszn 2 hours ago | parent | prev | next [-] |
| - Use Static analysis for GHA to catch security issues: https://github.com/zizmorcore/zizmor - set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e... - add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act... |
| |
| ▲ | keyle an hour ago | parent | next [-] | | The only way to 'harden your github actions' is to not use github actions. | | | |
| ▲ | robbiet480 19 minutes ago | parent | prev | next [-] | | Thanks for making me aware of zizmor, just ran and fixed all issues on our core repos. | | |
| ▲ | vldszn 8 minutes ago | parent [-] | | You are welcome! Recently discovered it and found it genuinely useful. Fixed a bunch of issues in my workflows too :) |
| |
| ▲ | benoau 2 hours ago | parent | prev [-] | | You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it will be executed lmfao. | | |
|
|
| ▲ | killingtime74 41 minutes ago | parent | prev | next [-] |
| Time to switch to Gitlab, Bitbucket or self-hosted |
|
| ▲ | surrTurr 14 minutes ago | parent | prev | next [-] |
| "Someone broke into our house and we have no clue if they're still hiding under the bed or in the drawer. TV is gone." |
|
| ▲ | MallocVoidstar 42 minutes ago | parent | prev | next [-] |
| https://pbs.twimg.com/media/HItbXhvW4AAMD8W?format=jpg&name=... All of their repos have been copied and are up for sale. Attackers are TeamPCP, the creators of the Shai-Hulud malware. |
| |
| ▲ | mpetrovich 3 minutes ago | parent [-] | | If that’s true and they do intend on shredding their copy on sale, what stops GitHub from buying it back themselves? (through a proxy, obv) |
|
|
| ▲ | waynesonfire 2 hours ago | parent | prev | next [-] |
| Are they required to announce that they're being hacked in real time? |
| |
| ▲ | tonetegeatinst an hour ago | parent [-] | | Microsoft owned so many a CYA to explain why the liability insurance goes up to investors? |
|
|
| ▲ | mstank 2 hours ago | parent | prev | next [-] |
| Is it just me or is this happening way more frequently in the last 4 or 5 months? Coincidently around the same time the models got a lot more capable? |
| |
| ▲ | tom_ an hour ago | parent | next [-] | | It's more likely that it isn't coincidental at all: software development-oriented LLMs became a lot better towards the end of 2025, and so there's a non-zero chance that people are using them to find new security exploits. (People are not sleeping on this and it is not something people have failed to notice. I don't use LLMs at all and even I have noticed it - largely because there is approximately nobody that isn't talking about it.) | | |
| ▲ | tptacek 25 minutes ago | parent | next [-] | | There is a 100% chance that people are using LLMs to find vulnerabilities and build exploits. If it was possible for something to be a 101% chance, that's what it would be. | |
| ▲ | OptionOfT 19 minutes ago | parent | prev [-] | | I think the other side is much more important. With company mandates to use AI as much as possible, there has been a deluge of low-quality PRs. Everybody is feeling tired from reviewing those, and quite possibly numerous security issues have been introduced since. |
| |
| ▲ | guluarte 15 minutes ago | parent | prev | next [-] | | I heard an engineer at Anthropic was submitting 150 PRs per day. That's one PR every 5 to 10 minutes, so you can guess the level of review and quality control involved. | |
| ▲ | bob1029 2 hours ago | parent | prev [-] | | I think it's more about the popularity than the capability. The chances you might accidentally put a Github access token into an undesired security context goes up dramatically when you actually create and use one on a regular basis. The developers at GH are certainly using these tools just like the rest of us. |
|
|
| ▲ | syngrog66 2 hours ago | parent | prev | next [-] |
| between all the Linux LPEs and Claude's known security flaws, alone, I'd be shocked if Github and Microsoft hadnt gotten hacked by now. reasonable bet we mainly hear it when big shops get bit |
| |
| ▲ | TZubiri 34 minutes ago | parent [-] | | Before 2026 I hosted client code on GitHub, now it feels suboptimal, code is both an intellectual property asset and security risk. Especially if the company is software based, self-hosting your code just has a much better risk profile for almost no cost. It's also one of those things that warms your team up and gets them ready for actual work, a team that has to self host their git and other infra, like self-hosting DNS servers with bind, will have a much better work ethic than engineers who click buttons on a SaaS and conflate their role as users of a system instead of admins of one. Additionally, using github actions, and relying on Pull Requests (Tm) (R) (C) has always been (useful) vendor lock in (and a security risk in case of GH Actions). It wasn't enough to lock down a choice, but it tilts the balance in favour of less dependencies, which with the increase of CVEs and supply chain vulns, seems to be the name of the game for this new era. Build it in house, ignore the dogma. |
|
|
| ▲ | kiernanmcgowan 2 hours ago | parent | prev | next [-] |
| Mythos has broken containment |
|
| ▲ | tiffanyh 30 minutes ago | parent | prev [-] |
| Is Twitter/X the right channel to announce a security event like this? I ask because I don’t see anything posted on their official blog or status page. https://github.blog/ https://www.githubstatus.com/ |
| |
| ▲ | cebert 29 minutes ago | parent [-] | | It’s a very popular messaging platform for tech enthusiasts. | | |
| ▲ | yallpendantools 10 minutes ago | parent [-] | | So? Is this where your corporate paying clients should find out about an issue of this severity? Not to mention Twitter is not an open platform anymore! (A) I'm an employee in an organization paying for Github. (B) I don't have a Twitter account. I already have a Github account because of (A). Why should (B) stop/delay me from getting official comms about this? |
|
|
