Source-code management tools like GitHub can provide a way to install code en masse on every system that code reaches. (" GitHub Office " by DASPRiD is marked with CC BY 2.0 .)IBM’s pen testing group X-Force Red released a new source-code management (SCM) attack simulation toolkit Tuesday, with new research revealing ways to use native SCM functionality in attacks. Brett Hawkins of X-Force Red will present the research at Black Hat later in the week. Source-code management tools like GitHub are more than just a home to intellectual property. They are a way to install code en masse on every system that code reaches. Two of the most devastating attacks in history - NotPetya and Solarwinds - came out of malicious code inserted into updates, then uploaded to clients. Sloppy SCM users sometimes leave API keys and passwords exposed in code, giving SCM dorks access to other systems; from there, SCM may be connected to other DevOps servers and become a pivot point.
Click here for more coverage from the Black Hat Conference in Las Vegas.“There's not really any research out there on attacking and defending these systems,” Hawkins told SC Media. At present, most attacks on SCM are by bad actors searching for interesting exposed files, repositories and content. But Hawkins developed more sophisticated attacks leading to privilege escalation, stealth and persistence to use in pen tests. That might mean using administrator access to create or duplicate tokens used to access the SCM. Alternatively, on GitHub, that might mean clicking a single button to impersonate users. Hawkins jammed his research and reconnaissance tools into SCMKit, the toolkit released Tuesday. “There's nothing out there that exists like SCM-Kit right now. It allows you to do a bunch of different attack scenarios including reconnaissance, privilege escalation, and persistence against GitHub Enterprise, GitLab enterprise and Bitbucket,” said Hawkins. “I’m hoping to get some good feedback from the infosec community.”
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.
Increasing concerns regarding the potential utilization of Chinese artificial intelligence platform DeepSeek for foreign government surveillance have prompted New York Gov. Kathy Hochul to ban the AI chatbot's usage across all state-issued devices just days after Texas Gov. Greg Abbott issued a similar prohibition for DeepSeek and Chinese-owned social media apps.
Such an extensive OpenAI account credential theft may have been achieved by exploiting vulnerabilities or securing admin credentials to infiltrate the auth0.openai.com subdomain, according to Malwarebytes researchers, who noted that confirmation of the leak's legitimacy would suggest emirking's access to ChatGPT conversations and queries.
Aside from delivering unencrypted device and mobile app registration information to Volcano Engine servers owned by TikTok parent firm ByteDance, DeepSeek's iOS app has also been leveraging an insecure symmetric encryption algorithm, a hardcoded encryption key, and old initialization vectors, an audit from NowSecure showed.
