GitHub has announced the rollout of default secret scanning push protection for all pushes to public repositories. This means that whenever a supported secret is detected in a push to a public repository, users will have the option to remove the secret from their commits or, if deemed safe, bypass the block.
Eric Tooley and Courtney Claessens stated, “This means that when a supported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block.”
Originally piloted as an opt-in feature in August 2023, push protection has been under testing since April 2022 and became generally available in May 2023.
Secret scanning is designed to identify over 200 token types and patterns from more than 180 service providers to prevent their fraudulent use by malicious actors.
This development comes after GitHub expanded secret scanning to include validity checks for popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack.
The rollout also follows the discovery of an ongoing “repo confusion” attack targeting GitHub. This attack involves thousands of repositories containing obfuscated malware capable of stealing passwords and cryptocurrency from developer devices.
These attacks are part of a larger malware distribution campaign first disclosed by Phylum and Trend Micro last year. The campaign uses bogus Python packages hosted on cloned, trojanized repositories to deliver a stealer malware called BlackCap Grabber.
Apiiro, in a recent report, explained that “repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well.”
