As you may know, GitHub has detected a breach.
This was originated by an employee installing a malicious VSCode extension (and no doubt escalated via other mechanisms.)
It transpires that the source code of GitHub has been leaked and is available for sale through crime/privacy friendly networks.
The conclusion is that since source code can itself be analyzed by LLMs, there is a high possibility that vulns and privilege escalations may be discovered that would allow further attacks.
Here are some measures you can take:
1- Go through private repos and ensure there are no secrets.
2- Go through private repos, copy them to another system, and delete the repos.
3- Review privacy policies and settings, consider changing your account type to enterprise (I'd recommend going the opposite direction, but this is an option)
4- Consider not using github for a while.
5- If you are using non-essential Github software like GitHub CLI or vscode extensions, uninstall them. Learn to work with Git CLI if necessary.
6- Consider not downloading binaries from Github repos for a while.
7- Consider not downloading source code from GitHub for a while.
Other general recommendations can help as well:
- Actually check hash digests, and ensure that the hash is distributed by other means than the code.
- Consider using or strengthening alternative signature mechanisms like pgp.
- Do not install stuff through package managers that don't review code. Consider writing the code yourself, read an RFC if necessary, it's ok.
- Consider removing packages from the fishiest to the least. It's a chore, there's never time, but now is a good time as any. If a package is fishy, delete it and replace it with some simple code, if the package is not fishy, consider deleting it.
- Consider planting a canary token in places that are likely to get hacked and get sweet HN points for posting an early PSA
As you may know, GitHub has detected a breach. This was originated by an employee installing a malicious VSCode extension (and no doubt escalated via other mechanisms.) It transpires that the source code of GitHub has been leaked and is available for sale through crime/privacy friendly networks.
The conclusion is that since source code can itself be analyzed by LLMs, there is a high possibility that vulns and privilege escalations may be discovered that would allow further attacks.
Here are some measures you can take:
1- Go through private repos and ensure there are no secrets. 2- Go through private repos, copy them to another system, and delete the repos. 3- Review privacy policies and settings, consider changing your account type to enterprise (I'd recommend going the opposite direction, but this is an option) 4- Consider not using github for a while. 5- If you are using non-essential Github software like GitHub CLI or vscode extensions, uninstall them. Learn to work with Git CLI if necessary. 6- Consider not downloading binaries from Github repos for a while. 7- Consider not downloading source code from GitHub for a while.
Other general recommendations can help as well: - Actually check hash digests, and ensure that the hash is distributed by other means than the code. - Consider using or strengthening alternative signature mechanisms like pgp. - Do not install stuff through package managers that don't review code. Consider writing the code yourself, read an RFC if necessary, it's ok. - Consider removing packages from the fishiest to the least. It's a chore, there's never time, but now is a good time as any. If a package is fishy, delete it and replace it with some simple code, if the package is not fishy, consider deleting it. - Consider planting a canary token in places that are likely to get hacked and get sweet HN points for posting an early PSA
Stay safe.
And what about copilot?
Discussion: https://news.ycombinator.com/item?id=48201316