YouTube player

Attackers targeting software supply chains are impersonating GitHub Dependabot to sneak their malicious code changes past developers.

Security researchers have discovered a campaign where attackers were attempting to sneak code into software projects by disguising them as changes made by GitHub Dependabot. Dependabot is designed to alert users of security vulnerabilities in a project’s dependencies. It does this by automatically generating pull requests to keep dependencies updated. As a result, there is a level of trust when developers are reviewing code changes from dependabot. They might not even be checking the code before approving the pull request and merging the changes into the project. In order to launch the impersonation attack, the attackers would first need write access to the project repository. For this particular campaign, the attackers gained initial access to the hundreds of project repositories using stolen personal access tokens. It is not known how those tokens were stolen. Such attacks is a reminder of the level of sophistication in software supply chain attacks.

This segment was created for the It’s 5:05 podcast