Security experts at Checkmarx are alerting users about a fresh supply chain attack method that uses fake commit information to give hostile GitHub repositories the appearance of authenticity.
Faster application development is made possible by open source software, and many developers may forego thorough audits of third-party code if they think it originates from a reliable source. According to researchers, in order to improve their reputation and increase their chances of being chosen by application developers, threat actors may alter some of the data linked to GitHub projects, claims Checkmarx.
Users can activate a “vigilant mode,” according to Checkmarx, which increases the functionality of the feature by showing the verification status of all of their changes.
Read More: https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-commit-metadata