GitHub Releases Public Repositories with Default Secret Scanning Push Protection

On Thursday, GitHub declared that all pushes to public repositories will now automatically enable secret scanning push protection.

“This means that when a supported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block,” explained Eric Tooley and Courtney Claessens.

Although push protection has been in testing since April 2022, it was first introduced as an opt-in feature in August 2023. May 2023 marked the general release of the product.

To stop the fraudulent use of tokens by bad actors, the secret scanning tool is designed to detect over 200 token kinds and patterns from over 180 service providers.

This move occurred almost five months after the Microsoft subsidiary broadened its scope to include authenticity checks for well-known services like Slack, Google, Amazon Web Services, and Microsoft.

It also comes after an ongoing "repo confusion" attack against GitHub was discovered. This attack is causing thousands of repositories on the source code hosting platform to carry malware that has been disguised and is capable of stealing Bitcoin and credentials from developer devices.

The attacks are a continuation of the same malware distribution campaign that Phylum and Trend Micro revealed the previous year. BlackCap Grabber is a stealer malware that is distributed through the use of phony Python packages published on trojanized repositories.

“Repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well,” Apiiro stated in a paper published this week.