Surprise: When Dependabot Contributes Malicious Code
released on 2023-09-28 @ 07:54:38 PM
Between July 8-11 a threat actor started compromising hundreds of GitHub repositories, both public and private. Most victims are Indonesian user accounts. The attackers used a technique to fake commit messages (read more about how it’s done here) to trick developers thinking this was contributed by the real dependabot and to ignore this activity.