InfoQ

LinkedIn Leverages GitHub Actions, CodeQL, and Semgrep for Code Scanning

LinkedIn has rebuilt its static application security testing (SAST) pipeline using GitHub Actions and custom workflows, ...
Bleeping Computer

Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies

The defense mechanisms that NPM introduced after the 'Shai-Hulud' supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies. Collectively called PackageGate, ...
Bleeping Computer

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

The second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM (Node Package Manager) registry and publishing stolen data in 30,000 GitHub ...
GitHub

Remove GitHub Copilot fetch tool "Always Allow" permission.

I was not given this option. Now GitHub Copilot automatically fetches items, and even worse, if multiple items are fetched, no indication is given of what URLs were fetched, as I explained in #265850.
Krebs on Security

Self-Replicating Worm Hits 180+ Software Packages

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on ...
GitHub

fetch server reproducible bug

Enable the fetch server with Claude Desktop. I have the Pro subscription. Give it this URL, it'll pull a dozen articles I wrote and summarize them. I manually counted and I see 31 articles under this ...