more sustainable approaches to open-source software—and, maybe, to make the classic xkcd comic
            "Dependency" less reflective of the current state of software development.

            But  from  a  security  standpoint,  there's  another  key  takeaway  here:  in  today's  world  of  supply-chain
            attacks, failing to include GitHub in your attack surface mapping could rapidly become a very costly
            mistake - especially for companies not actively involved in open-source development themselves.



            GitHub: A Double-Edged Sword

            GitHub's meteoric rise in popularity has made it an irresistible target for hackers and cybercriminals. With
            over 300 million public repositories and 100 million users, the platform's vast attack surface provides
            ample opportunities for malicious actors to exploit. GitHub's widespread adoption across industries, from
            tech giants to government agencies, means that a single vulnerability or compromised account can have
            far-reaching consequences.

            GitHub was the staging ground for Jia Tan, the (likely fake) profile that patiently built up a history of
            credibility in preparation for the XZ Utils sabotage. But this is just one example of how threat actors are
            using  the  platform  to  deceive  developers:  recently,  attackers  impersonated  Dependabot  (a  bot  that
            checks  for  outdated  dependencies  and  suggests  ready-to-merge  changes)  to  exfiltrate  secrets  from
            hundreds  of  repositories.  A  study  revealed  that  millions  of  repositories  are  potentially  vulnerable  to
            "RepoJacking,"  a  supply  chain  attack  that  allows  malicious  actors  to  gain  control  over  a  GitHub
            namespace by registering a newly available username. The platform's open nature and collaborative
            features, while essential for fostering innovation, also make it an ideal hunting ground for threat actors.
            Hackers can easily create accounts, contribute to projects, and even set up malicious repositories that
            masquerade as legitimate ones.
            They can also harvest sensitive data inadvertently exposed on the platform, particularly secrets, of which
            12.8 million were exposed just in 2023. This highlights the urgent need for organizations to seriously
            consider monitoring their GitHub footprint.



            The State of Secrets Sprawl

            The proliferation of code repositories on GitHub amplifies the risk of sensitive information being exposed,
            both  accidentally  and  deliberately.  In  its  2024  edition  of  the  State  of  Secrets  Sprawl,  code  security
            company GitGuardian reports that a staggering 12.8 million new secrets occurrences leaked publicly on
            GitHub in 2023, marking a 28% increase from the previous year. This trend is even more concerning
            considering the quadrupling of such incidents since 2021.

            The  report  identified  over  1  million  valid  occurrences  of Google  API  secrets,  250,000  Google Cloud
            secrets, and 140,000 AWS secrets leaked. Many of these leaks concerned enterprise-owned credentials,
            with the IT sector accounting for nearly 66% of all detected leaks. However, the issue spans various
            industries,  including  Education,  Science  and  tech,  Retail,  Manufacturing,  Finance  and  insurance,
            highlighting the exposure of many different industries on the code-sharing platform.





            Cyber Defense eMagazine – June 2024 Edition                                                                                                                                                                                                          154
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.