GitHub Security Lab

🎶’twas the night before Christmas, and nothing looked strange, until malicious artifacts showed up in the change 🎶 in light of some recent open source malware campaigns, we’ve outlined some practical steps teams can take now - using phishing-resistant MFA, rotating and scoping tokens, reviewing third-party access, and adopting safer package publishing workflows a little security cleanup now can help avoid unwelcome presents in the new year 🎁 read the post: https://lnkd.in/eEEngZ8v

In just 17 minutes, 📌 Jaroslav Lobačevski shares his knowledge about securing GitHub Actions, drawing from hands-on experience uncovering hundreds of real-world vulnerabilities. Topics include: • Best practices of using third party actions • The security model of GitHub Actions: tokens and permissions, jobs isolation and secrets • pull_request vs pull_request_target • Common pitfalls that lead to Remote Code Execution (RCE): interpolation and environment injections, cache poisoning • …and more The talk wraps up with FREE tools to automate GitHub Actions security you can start using TODAY. https://lnkd.in/gpHRzQCd

GitHub Security Lab discovered a critical vulnerability in WooCommerce. We’d like to thank WooCommerce/Automattic for their incredibly quick response and fix of the vulnerability. “A critical vulnerability was discovered in WooCommerce (versions 8.1 to 10.4.2) that, if exploited, could allow logged-in customers to access order details belonging to guest customers.” If you are using WooCommerce, please update. For more info see WooCommerce’s blog post: https://lnkd.in/gDcU_--M

The Security Lab is hiring Security Researchers in the US and in the UK! Reporting to Kevin Backhouse and Xavier René-Corail. Apply on the GitHub Careers page! Search for "Security Lab" https://lnkd.in/gj4kJuyp

We’re #hiring. 2 Principal Security Researchers, in the US and the UK. Know anyone who might be interested?

Hello Hackers! Here are our November bug bounty stats! 🐛146 bounty reports submitted 👩💻102 hackers participated in our program 💰Awarded $93,068 in bounties Found a vulnerability? Submit it here: https://bounty.github.com/

Attending AI Native DevCon? Join Joseph Katsioloudes and discover practical ways to use AI for security through 14 live GitHub Copilot demos from secure coding, to supply chain decisions, to MCP servers. 📅 November 19, 11:40 AM EST 📍 Industry City, Kings County, NY + online 👉 ainativedev.io/devcon

Join us at Nerdearla to discover how GitHub secures the open source software we all rely on. From groundbreaking security research and education initiatives to free tools for open source and programs that have strengthened the security of hundreds of projects worldwide — we’re excited to share it all! 📅 November 14, 11 AM CET 📍 LaNaveMadrid + free online streaming 👉 nerdearla.es

🚀 GitHub is making Actions more secure by default We recently announced upcoming changes to the pull_request_target event and environment protection rules — one of the first steps in a broader roadmap to make GitHub Actions more secure by default. We’ve opened a discussion post to collaborate and gather feedback from the community on these changes and what’s coming next. Join the conversation 👇 🔗 https://lnkd.in/gietje5x