Skip to content

Category

Security

Security alert: new phishing campaign targets GitHub users

Security alert: new phishing campaign targets GitHub users

On September 16, GitHub Security learned that threat actors were targeting GitHub users with a phishing campaign by impersonating CircleCI to harvest user credentials and two-factor codes. While GitHub itself was not affected, the campaign has impacted many victim organizations.

Alexis Wales
5 tips for prioritizing Dependabot alerts

5 tips for prioritizing Dependabot alerts

Dependabot alerts can give you the ability to secure your project by keeping dependency-based vulnerabilities out of your code. Here are some tips to more efficiently prioritize and take action on your alerts, so you can get back to building.

Erin Havens
Dependabot now alerts for vulnerable GitHub Actions

Dependabot now alerts for vulnerable GitHub Actions

GitHub Actions gives teams access to powerful, native CI/CD capabilities right next to their code hosted in GitHub. Starting today, GitHub will send a Dependabot alert for vulnerable GitHub Actions, making it even easier to stay up to date and fix security vulnerabilities in your actions workflows.

Brittany O'Shea & Kate Catlin
Corrupting memory without memory corruption

Corrupting memory without memory corruption

In this post I’ll exploit CVE-2022-20186, a vulnerability in the Arm Mali GPU kernel driver and use it to gain arbitrary kernel memory access from an untrusted app on a Pixel 6. This then allows me to gain root and disable SELinux. This vulnerability highlights the strong primitives that an attacker may gain by exploiting errors in the memory management code of GPU drivers.

Man Yue Mo
The Chromium super (inline cache) type confusion

The Chromium super (inline cache) type confusion

In this post I'll exploit CVE-2022-1134, a type confusion in Chrome that I reported in March 2022, which allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site. I'll also look at some past vulnerabilities of this type and some implementation details of inline cache in V8, the JavaScript engine of Chrome.

Man Yue Mo