Tag Archives: GitHub

New York Times Source Code Stolen From Exposed GitHub Token

Hacker, ,

Internal source code and data belonging to The New York Times was leaked on the 4chan message board after being stolen from the company’s GitHub repositories in January 2024, The Times confirmed to BleepingComputer.

As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data.

“Basically all source code belonging to The New York Times Company, 270GB,” reads the 4chan forum post. “There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar.”

In a statement to BleepingComputer, The Times said the breach occurred in January 2024 after credentials for a cloud-based third-party code platform were exposed. A subsequent email confirmed this code platform was GitHub.

“The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at there time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity” – The New York Times

Mashable reported reported the controversial image board 4Chan is back in the news this week after two big data dumps were posted on the site.

Now, it appears that the New York Times Company is the largest establishment to have its data leaked on 4Chan over the past week. The data allegedly includes source code to its viral World game.

Mashable reported X user @vxunderground appears to be the first to notice that 270GB of internal data connected to the New York Times was posted online. The data contains the company’s internal source code and consists of more than 5,000+ source code repositories. The leak is made up of a total of roughly 3,600,000 files.

According to a text file shared by the hacker, 6,223 folders were stolen from the New York Times’ GitHub repository. This includes internal company IT documents and source code, which includes the popular word game that the Times acquired in 2022, Wordle.

The Register reported a 4chan user claims to have leaked 270GB of internal New York Times data, including source code and other web assets, via the notorious image board.

According to the unnamed netizen, the information includes, “basically all source code belonging to The New York Times Company,” amounting to roughly 5,000 repositories and 3.6 million files now available for download from peer-to-peer networks. Details on how to get the files where shared by the poster on 4chan.

Of the files listed – whose names indicate everything from blueprints to Wordle to email marketing campaigns and ad reports — “less than 30” repositories are “encrypted,” the 4channer claimed. Again, take this with a healthy does of salt considering the source — an unnamed 4chan user.

In my opinion, stealing files and data from a large company’s GitHub is not a good idea. It is entirely possible that the New York Times may have already hired someone to find the hacker who did this.

GitHub Will Require All Users Who Contribute Code to Enable 2FA

Security,

GitHub announced that it will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentications (2FA) by the end of 2023. This is part of GitHub’s platform-wide effort to secure the software ecosystem through improving account security.

GitHub described their reasoning for requiring 2FA this way:

The software supply chain starts with the developer. Developer account are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step towards securing the supply chain. GitHub has a long history of protecting developers through efforts including seeking and invalidating known-compromised user passwords, offering robust WebAuthn security key support, and enrolling all npm publishers in enhanced login verification.

According to GitHub, most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to.

GitHub continues by pointing out that compromised accounts can be used to steal private code or push malicious changes to the code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.

Protocol reports that just 16.5% of GitHub.com users currently use two-factor authentication, considered to be a substantially more secure method of logging in given that it requires more than just a password. The two-factor authentication requirement will affect GitHub.com’s 83 million users, and is being announced well in advance to “make sure we get this right” in terms of user experience for developers, said Mike Hanley, chief security officer at GitHub.

According to Protocol, the announcement by Microsoft-owned GitHub comes at a time of high anxiety in the enterprise about the potential for security risks of open source software components. This is due in part to rising attacks against software supply chains – which jumped by more than 300% in 2021, according to a report from application protection firm Aqua Security.

In my opinion, it is a very good idea to put 2FA on everything – even if you don’t happen to post code on GitHub. Two-factor identification is a great way to prevent someone from stealing your social media accounts, breaking into your personal website, or preventing you from accessing your most frequently used email accounts. It makes sense for GitHub to be requiring 2FA.

GitHub Reinstated YouTube-dl and will Overhaul DMCA Reviews

Information, ,

GitHub announced that they reinstated youtube-dl after receiving additional information about the project that enabled GitHub to reverse a Digital Millennium Copyright Act (DMCA) takedown. As a result, GitHub has created a developer-focused approach that requires specific steps that will be performed before any takedown claim is processed.

TechCrunch reported that in October, the Recording Industry Association of America (RIAA) sent a DMCA complaint to GitHub over YouTube-dl. The project allowed viewers to download YouTube videos for offline viewing. The RIAA said that this circumvented DRM and promoted the piracy of several popular songs.

As a result, GitHub took down YouTube-dl because platforms like it have to comply with laws. In their blog post, GitHub noted: “DCMA takedown claims based on circumvention are a growing, industry-wide issue for developers with far-reaching implications.” There was also another problem:

Section 1201 dates back to the late 1990s and did not anticipate the various implications it has for software use today. As a result, Section 1201 makes it illegal to use or distribute technology (including source code) that bypasses technical measures that control access or copying of copyrighted works, even if that technology can be used in a way that would not be copyright infringement.

GitHub states that it received information that showed the youtube-dl project does not in fact violate the DMCA’s anticircumvention prohibitions. GitHub concluded that the allegations did not establish a violation of the law. As a result, GitHub reinstated the youtube-dl project.

There is a detailed list of things that GitHub is changing in their effort to overhaul their 1201 claim review process. They are doing this at their own cost and at no cost to the developers who use GitHub.

To me, these changes could prevent the RIAA from having a DMCA takedown request immediately acted upon. It also sounds like the changes enable GitHub to do some investigating about the validity of the RIAA claim before taking action.

GitHub’s Newly-Created Repositories Default to ‘Main’ on October 1

Software

GitHub announced that on October 1, 2020, any new repositories you create will use “main” as the default branch, instead of “master”. The change does not impact any of your existing repositories: existing repositories will continue to have the same default branch they have now.

In June of 2020, GitHub decided to replace the term “master” on its service with a neutral word like “main”. That change will be taking place as of October 1, 2020. GitHub explains the reason they selected the word “main” to replace “master” this way:

main is the most popular replacement for master that we’re seeing across GitHub. We like it because it’s short, it keeps your muscle memory intact, and it translates well across most languages. We’re using main for our newly-created repositories and for the repositories we’re moving now, like depandabot-core.

Later this year, GitHub has plans for seamless moves for existing repositories. They point out that renaming the default branch today causes a set of challenges. GitHub states that by the end of the year they will make it seamless for existing repositories to rename their default branch. When you rename the branch, GitHub will retarget your open PRs and draft releases, move your branch protection policies, and more – all automatically.

ZDNet reported that GitHub’s move to replace “master” with “main” is part of a bigger trend in the tech community. Companies and major open source projects like Microsoft, IBM, Twitter, Red Hat, MySQL, the Linux kernel, and OpenBSD have also agreed to make changes to their technical jargon.

GitHub will Replace “Master” with “Main” on its Service

Software

GitHub is working on replacing the term “master” on its service with a neutral term like “main”. The reason for this change is to avoid any unnecessary references to slavery, says GitHub CEO Nat Friedman, ZDNet reported.

For those who are new to this terminology, PC Mag has an easy to understand explanation of what master/slave means. “An electronic interaction in which one device acts as the controller (the master) and initiates the commands, and the other devices (the slaves) respond accordingly.”

Right now, there are many Black Lives Matter protests happening. You’ve probably seen photos and videos from the protests on social media.

Black Lives Matter Foundation was founded in 2013 in response to the acquittal of Trayvon Martin’s murderer. It is a global organization in the US, UK, and Canada whose mission it is to eradicate white supremacy and build local power to intervene in violence inflicted on Black communities by the state and vigilantes. Those who support this movement are working for a world where Black lives are no longer systematically targeted for demise.

With that in mind, it is obvious why continuing to use the “master/slave” terminology is hurtful. There are other options for “master” including: primary, conductor, coordinator, and main. The term “slave” could be replaced by secondary, drone, worker, doer, or minion. GitHub is moving in the right direction by replacing “master” with “main’.

GitHub Acquires Semmle

internet,

GitHub announced (in a blog post written by Nat Friedman) that is is “welcoming Semmle to GitHub”. The acquisition is seen by GitHub as a big step in securing the open source supply chain. Semmle sees it as “a fabulous milestone in a 13-year journey.”

Semmle’s revolutionary semantic code analysis engine allows developers to write queries that identify code patterns in large codebases and search for vulnerabilities and their variants. Semmle is trusted by security teams at Uber, NASA, Microsoft, Google, and has helped thousands of vulnerabilities in some of the largest codebases in the world, as well as over 100 CVEs in open source projects to date.

According to TechCrunch, GitHub did not disclose the price of the acquisition of Semmle. What is known is that Semmle launched yeast year with a $21 million Series B round led by Accel. In total, the company raised $31 million before this acquisition.

Oege de Moor from Semmle wrote: “By joining GitHub we are taking the next step in changing how software is developed, allowing every developer to benefit from the expertise of the top security researchers in the world. I can’t imagine a more fitting recognition of our team’s hard work, or a better opportunity to realize the full potential of the vision and technology.”

According to Semmle, there will be no disruption to existing users of Semmle products. GitHub and Semmle are deeply committed to securing the open source ecosystem, and as part of that commitment, LGTM.com will continue to be available for free for public repositories and open source. Semmle is also going to continue their open source security research. Existing Semmle products will integrate with GitHub’s existing product range.

It seems to me that this is one acquisition situation were nothing will be lost. Semmle’s products, and GitHubs products, are going to be integrated together.

Microsoft has Acquired GitHub

Microsoft,

Microsoft announced that it has reached an agreement to acquire GitHub, the world’s leading software development platform where more than 28 million developers learn, share, and collaborate.

Under the terms of the agreement, Microsoft will acquire GitHub for $7.5 billion in Microsoft stock. Subject to customary closing conditions and completion of regulatory review, the acquisition is expected to close by the end of the calendar year.

GitHub will retain its developer-first ethos and will operate independently to provide an open platform for all developers in all industries. Developers will be able to use the programming languages, tools and operating systems of their choice for their projects – and will still be able to deploy their code to any operating system, any cloud and any device.

GitHub announced, in a blog post written by CEO and Co-Founder of GitHub, @defunkt, that Microsoft was acquiring GitHub. The post states that Microsoft and GitHub expect the agreement to close by the end of the year.

GitHub says that they will remain focused on the developer. They feel that Microsoft’s vision for the future closely matches their own. Nat Friedman, Microsoft Corporate Vice President, Developer Services, will be taking on the role of GitHub’s CEO. GitHub says it has been searching for a new CEO for some time.