Two stories about GitHub

GitHub is a code development environment and code repository used around the world by many software developers and well known applications. Consequently it is also a prime target for threat actors who if they can get inside the development of packages can infect many unsuspecting users.

The collaboration tool Slack has suffered a GitHub breach similar to the one experienced by Dropbox that has impacted the code they use for their application:

Slack security update | Slack

It does ot affect their users – according to their own press release – and the issues were quickly fixed – again according to their press release. But this incident does illustrate how vulnerable our supply chains are to attacks.

An unaware software developer writing something bespoke for you for your website or office could use compromised code from GitHub and so infect your systems. Because this is becoming such an issue GitHub is taking steps to help detect issues through their platform:

GitHub makes it easier to scan your code for vulnerabilities (bleepingcomputer.com)

However you should do your own due diligence when it comes to your web or software developers as to how they manage these types of issues. Here is something to think about:

How much are you relying on your web designer to protect your reputation? – CyberAwake

If you are a web designer and are not sure how to deal with these issues then get in contact and I will be happy to spend the time it takes me to drink a mug of hot coffee, chatting with you about this on Teams.

Clive Catton MSc (Cyber Security) – by-line and other articles

Further Reading

Here is the classic, stealthy supply chain attack:

The SolarWinds breach – a write up – Smart Thinking Solutions