AI-powered bot hackerbot-claw exploited GitHub Actions workflows across Microsoft, DataDog, and CNCF projects over 7 days using 5 attack techniques. Bot achieved RCE in 5 of 7 targets, stole GitHub ...

分析指出，OpenAI此举无疑是对其最大投资者微软的直接挑战，微软不仅是GitHub母公司，更持有OpenAI大量股份并为其提供关键Azure云计算资源。 这种行为再次印证了OpenAI极具进攻性的扩张风格，不久前，在Anthropic明确拒绝向军方提供不受限的模型权限后，OpenAI迅速补位与五角大楼签署了军事合同。

The Python Software Foundation team has invalidated all PyPI tokens stolen in the GhostAction supply chain attack in early September, confirming that the threat actors didn't abuse them to publish ...

作者 | Sergio De Simone译者 | 明知山GitHub 最近 推出 Agentic Workflows（智能体工作流） 技术预览版。据 GitHub 介绍，这是一种借助可理解上下文与意图的编码智能体来自动化完成复杂、重复性仓库任务的全新方案。该技术可实现自动问题分类与标注、文档更新、CI 故障排查、测试优化及报告生成等工作流。我们最初探索 ...

Multiple high-profile open-source projects, including those from Google, Microsoft, AWS, and Red Hat, were found to leak GitHub authentication tokens through GitHub Actions artifacts in CI/CD ...

Many open-source repositories contain privileged GitHub Actions workflows that execute untrusted code and can be triggered by attackers to expose credentials and access tokens, as MITRE and Splunk ...

Developers who mistype names and owners of GitHub Actions expose their repositories and accounts to malicious code execution, with significant software supply chain implications, researchers have ...