This site may contain outdated or incomplete information.
Fake Dependabot commits
Dependabot is a bot maintained by GitHub that automatically submits pull requests to update project dependencies. An attacker pushed malicious commits impersonating Dependabot which were subsequently merged by repository maintainers. These commits included changes that introduced a GitHub Action workflow to steal repository secrets. In addition, the attackers added an obfuscated line to all javascript source files to steal information added to password fields.
Impact
The attackers submitted hundreds of such commits, primarily targeting GitHub users in Indonesia. To directly push the commits, the attackers also stole repository maintainer access tokens, to allow them to bypass two factor authentication.
Type of Compromise
Source Code
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.