News

CSO Online8h

GhostAction campaign steals 3325 secrets in GitHub supply chain attack

Attackers abused GitHub Actions workflows to siphon off thousands of credentials from hundreds of npm and PyPI repositories.
Security Boulevard3d

The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows

On September 5, 2025, GitGuardian discovered GhostAction, a massive supply chain attack affecting 327 GitHub users across 817 ...
The Hacker News5d

Malicious npm Packages Exploit Ethereum Smart Contracts to Target Crypto Developers

Two npm packages hide downloader commands via Ethereum smart contracts; uploaded July 2025; targeting crypto developers.
ZDNet5y

GitHub security alerts now support PHP projects - ZDNET

GitHub is now also a CVE CNA and can issue its own CVE numbers for bugs disclosed in projects hosted on the platform.
ZDNet6y

GitHub security alerts now support Java and .NET projects

The most important of these new security improvements is the expansion of the Security Alerts feature, which now also supports Java and .NET projects, on top of the original JavaScript, Ruby, and ...
TechRadar2mon

This GitHub trick could let attackers steal secrets from major projects ...

Sysdig exposed how a trusted GitHub feature can silently hand control to attackers pull_request_target isn’t just risky, it’s a loaded weapon in the wrong hands Even top-tier security projects ...