A large-scale phishing campaign is targeting developers directly inside GitHub, using fake Visual Studio Code security alerts posted through Discussions to trick users into installing malicious software.
https://socket.dev/blog/widespread-github-campaign-uses-fake-vs-code-security-alerts-to-deliver-malware
#github
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1
Part one of a two-part series on GitHub Actions security, covering the core threat model, common misconfigurations, and real-world attack examples.
https://www.wiz.io/blog/github-actions-security-threat-model-and-defenses
#github
Please open Telegram to view this post
VIEW IN TELEGRAM
👍2❤1🔥1
Wiz Research discovered CVE-2026-3854 (CVSS 8.7): an unsanitized semicolon injection in GitHub's X-Stat internal header allows any authenticated user to override security fields via git push -o, achieving RCE on GitHub com and full GHES server compromise.
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
#github
Please open Telegram to view this post
VIEW IN TELEGRAM
👍3❤1🔥1