On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database and will send malware alerts through Dependabot. Since shipping this change, we have received feedback that some organizations have been impacted with Dependabot alerts from these malware advisories that may be false positives.
GitHub has conducted a rapid root cause investigation and found that the majority of those alerts in question were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, in the hope a malicious version would be consumed. Dependabot doesn’t look at project configuration to determine if the packages are coming from a private registry, so it has been triggering an alert for packages with the same name from the public npm registry. While this does mean that your package was the target of a substitution attack it does not mean that there is an immediate action to be taken on your part as the malware has already been removed from the npm registry.
While we work to determine how to best notify customers of being the target of a substitution attack, we will be pausing all Dependabot notifications on malware advisories. For non-Enterprise-Server users, Malware advisories will still exist in the Advisory Database and send alerts on npm audit. We are not making any changes to existing alerts on github.com at this time.
For GitHub Enterprise Server users, who were the most impacted, no new advisories will come through GitHub Connect. If you are struggling with too many alerts, please reach out to support and we can share a script for you to run that will delete all malware advisories and alerts.