Supply chain attack on popular #GitHub Action exposes CI/CD secrets
BleepingComputer · Supply chain attack on popular GitHub Action exposes CI/CD secrets
Recent searches
Search options
#github
9 posts8 participants1 post today
BleepingComputerFake "Security Alert" issues on GitHub use OAuth app to hijack accountsA widespread phishing campaign has targeted nearly 12,000 GitHub repositories with fake "Security Alert" issues, tricking developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and code.
Fake-Sicherheitswarnung: Betrüger versuchen Github-Konten zu kapern
Sicherheitsforscher berichten über Angriffsversuche auf rund 12.000 Github-Repositories. Dabei wollen Angreifer die volle Kontrolle über Konten erlangen.
heise online · Fake-Sicherheitswarnung: Betrüger versuchen Github-Konten zu kapern
Is there a GDPR-friendly way to set up (self hosted) a free, minimalist Git source code management system without registration (just for me as the admin), possibly including templates for a privacy policy?
I want to move away from Github.
This week's donation went to a developer that goes by flightlessmango. They contribute to Mangohud among other projects. Mangohud is an overlay for monitoring FPS, temperatures, CPU/GPU load and more. It's code is licensed using the MIT license.
Their code can be found on Github:
https://github.com/flightlessmango
if you want to help them financially they accept donations through Github.
GitHubflightlessmango - Overviewflightlessmango has 19 repositories available. Follow their code on GitHub.
Tj-actions/changed-files GitHub Action Compromised – used by over 23K repos
Link: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
Discussion: https://news.ycombinator.com/item?id=43367987
www.stepsecurity.ioHarden-Runner detection: tj-actions/changed-files action is compromised - StepSecuritytj-actions/changed-files
Popular GitHub Action tj-actions/changed-files is compromised
Link: https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
Discussion: https://news.ycombinator.com/item?id=43368870
SemgrepSemgrep | 🚨 Popular GitHub Action tj-actions/changed-files is compromisedPopular GitHub Action tj-actions/changed-files has been compromised with a payload that appears to attempt to dump secrets, impacting thousands of CI pipelines.
AI coding assistant refuses to write code, tells user to learn programming instead - On Saturday, a developer using Cursor AI for a racing game project hit an ... - https://arstechnica.com/ai/2025/03/ai-coding-assistant-refuses-to-write-code-tells-user-to-learn-programming-instead/ #largelanguagemodels #machinelearning #aipaternalism #stackoverflow #programming #airefusals #aicoding #chatgpt #chatgtp #biz #cursor #github #tech #ai
Ars Technica · AI coding assistant refuses to write code, tells user to learn programming instead
Sicherheitslücken: Gitlab-Entwickler raten zu zügigem Update
Es sind wichtige Sicherheitsupdates für die Softwareentwicklungsplattform Gitlab erschienen.
heise online · Sicherheitslücken: Gitlab-Entwickler raten zu zügigem Update
Replied in thread
Hey peeps, if you're still using #GitLab and #GitHub and you're twitching a bit because they're fellating fascists, I want to point to the sign that says you can self-host @forgejo - a project which is also working on decentralisation and federation.
Failing that, @Codeberg also exists, are a European non-profit that also supports the development of Forgejo.
Hope that helps 
This week's donation went to the LXQt desktop. It is a lightweight desktop that was born from the merger of LXDE and Razor-qt. It is currently available in around a couple dozen Linux and BSD distros. The code is licensed through a combo of GPLv2.0 and LGPLv2.1.
The project's main website is here:
The source code is available on Github:
The project has a presence on Mastodon:
https://mastodon.social/@ LXQt
If you want to help the project financially they accept donations through their Open Collective:
lxqt-project.orgLXQt - The Lightweight Qt Desktop EnvironmentThe Lightweight Qt Desktop Environment
FOSS roguelike dungeon crawler "Shattered Pixel Dungeon" has been updated to version 3.0.0. This update adds a new playable character, interface changes, bug fixes, and more. The code is licensed using GPLv3.0. It was made using libGDX.
The main website for the project is here:
The source code is available on Github:
https://github.com/00-Evan/shattered-pixel-dungeon
The release notes for this udpate are here:
https://github.com/00-Evan/shattered-pixel-dungeon/releases/tag/v3.0.0
The game can be downlaoded on Itch and Github, as well as purchased on GOG:
https://shattered-pixel.itch.io/shattered-pixel-dungeon
https://www.gog.com/game/shattered_pixel_dungeon
The project has a presence on Mastodon and Lemmy:
https://mastodon.gamedev.place/@ ShatteredPixel
If you wish to help the project financially you can donate through Liberapay, Itch, Patreon and by purchasing on GOG:
Shattered PixelShattered PixelThis is Shattered Pixel, the home page of Evan’s various works, most notably Shattered Pixel Dungeon
Long Read: Lessons from Building Semantic Search for GitHub and Why I Failed
Link: https://tzx.notion.site/What-I-Learned-Building-a-Free-Semantic-Search-Tool-for-GitHub-and-Why-I-Failed-1a09b742c7918033b318f3a5d7dc9751
Discussion: https://news.ycombinator.com/item?id=43299659
tanzx on NotionWhat I Learned Building a Free Semantic Search Tool for GitHub and Why I Failed | NotionOver the last few months, I have built and launched a free semantic search tool for GitHub called SemHub. In this blog post, I share what I’ve learned and why I’ve failed, so that other builders can learn from my experience. This blog post runs long and I have sign-posted each section. I have marked the sections that I consider the particularly insightful with an asterisk (*).
Is there shadow banning in github?
I created a new account and from that account opened a ticket on a repo.
For this ticket I have a valid URL. I can see the ticket information when I am logged in the new account. When I use an old account I get a 404 for the tickets URL.
Regardless of which account I use, I don't see the ticket in the repos issues list.
Did anyone else experience something similar?
I just lost access to a substantial amount of issues on one of my #GitHub projects.
I would appreciate if people could help upvote https://github.com/orgs/community/discussions/153161 to get more attention.
GitHub staff won't even tell me how much data they've hidden from me, which is quite discouraging :(
FOSS performance overlay "GOverlay" has been updated to version 1.3. This update adds a App Image version, adds new color themes, adds a dedicated form for blacklist management, and more. The code is licensed using GPLv3.0. GOverlay is an opensource project that aims to create a Graphical UI to help manage Linux overlays. The project can be found in various Linux distro repos.
The source code can be found on Github:
https://github.com/benjamimgois/goverlay
If you wish to help the project financially you can donate to the lead developer Benjamim Góis Ildefonso da silva through Paypal:
GitHubGitHub - benjamimgois/goverlay: GOverlay is an opensource project that aims to create a Graphical UI to help manage Linux overlays.GOverlay is an opensource project that aims to create a Graphical UI to help manage Linux overlays. - benjamimgois/goverlay
"Command & Conquer": Electronic Arts veröffentlicht Quellcode
Electronic Arts hat den Quellcode mehrerer Teile der Spielereihe "Command & Conquer" veröffentlicht. Damit sollen die Titel für Fans spielbar bleiben.
heise online · "Command & Conquer": Electronic Arts veröffentlicht Quellcode
Kaspersky exposes hidden malware on GitHub stealing personal data
Link: https://www.kaspersky.com/about/press-releases/kaspersky-exposes-hidden-malware-on-github-stealing-personal-data-and-485000-in-bitcoin
Discussion: https://news.ycombinator.com/item?id=43206417
/ · Kaspersky exposes hidden malware on GitHub stealing personal data and $485,000 in BitcoinKaspersky Global Research & Analysis Team (GReAT) discovered hundreds of open source repositories with multistaged malware targeting gamers and cryptoinvestors within a new campaign that was dubbed by Kaspersky as GitVenom. The infected projects include an automation instrument for interacting with Instagram accounts, a Telegram bot that enables the remote management of Bitcoin wallets and a crack tool to play the Valorant game. All of this alleged project functionality was fake, and cybercriminals behind the campaign stole personal and banking data and hijacked cryptowallet addresses from the clipboard. As a result of the malicious activity cybercriminals were able to steal 5 Bitcoins (around $485,000 at the time of investigation). Kaspersky detected the use of the infected repositories worldwide, with most cases in Brazil, Turkiye, and Russia.
Project documentation of #opensource projects on #GitHub should be in…