dependabot-pip-mako-case-poc

Dependabot pip-updater: case-sensitive advisory name match Po...

TeamPCP Hijacks Bitwarden CLI, Uses Dependabot to Deploy Shai-Hulud Malware

GitGuardian uncovers TeamPCP attack on Bitwarden CLI, abusing GitHub Dependabot to spread Shai-Hulud and poison AI coding tools...

Securing the open source supply chain across GitHub

Over the past year, a new pattern has emerged in attacks on the open source supply chain. Attackers are focusing on exfiltrating secrets like API keys in order to both publish malicious packages from an attacker-controlled machine as well as gain access to more projects in order to propagate the...

Turn Dependabot Off

Dependabot is a noise machine. It makes you feel like you’re doing work, but you’re actually discouraging more useful work. This is especially true for security alerts in the Go ecosystem. I recommend turning it off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck...

golang-cicd-poc

Golang CI/CD POC Project POC project for trying out different...

EUVD-2020-1442

Malware in sbrugna...

EUVD-2022-33584

Malicious code in bioql PyPI...

MAL-2025-46939 Malicious code in proto-dependabot-api (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 020a9f64907bc95144ea451f388a29465ae090673bbbcc3adcabe76b5862bf73 The OpenSSF Package Analysis project identified 'proto-dependabot-api' @ 1.1.3.r8cdd21224 rubygems as malicious. It is considered malicious...

Malicious code in proto-dependabot-api (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 020a9f64907bc95144ea451f388a29465ae090673bbbcc3adcabe76b5862bf73 The OpenSSF Package Analysis project identified 'proto-dependabot-api' @ 1.1.3.r8cdd21224 rubygems as malicious. It is considered malicious...

Malicious code in dependabot-auto-triage (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4d0f3b4b8521203a882b46f61419d108cb731522a0a8c231bc89b22406803057 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-6158 Malicious code in dependabot-auto-triage (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4d0f3b4b8521203a882b46f61419d108cb731522a0a8c231bc89b22406803057 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-5769 Malicious code in dependabot-ruleset-runner (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bf6203024b7b15e14f8667f837a351ecd9b34c2298117e781b04de05af28cdc9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in dependabot-ruleset-runner (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bf6203024b7b15e14f8667f837a351ecd9b34c2298117e781b04de05af28cdc9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Understand your software’s supply chain with GitHub’s dependency graph

What if you could spot the weakest link in your software supply chain before it breaks? With GitHub's dependency graph, you can. By providing a clear, complete view of the external packages your code depends on, both directly and indirectly, it allows you to understand, secure, and manage your...

CVE-2022-29220

github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests PRs. Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set t...

MAL-2025-2038 Malicious code in dependabot-pull-request-action (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f89f292c4aeef9adcdb74b756e9f23059ca61f0327bfb78956c32e30c9bf3c7c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in dependabot-pull-request-action (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f89f292c4aeef9adcdb74b756e9f23059ca61f0327bfb78956c32e30c9bf3c7c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2020-26222

Dependabot is a set of packages for automated dependency management for Ruby, JavaScript, Python, PHP, Elixir, Rust, Java, .NET, Elm and Go. In Dependabot-Core from version 0.119.0.beta1 before version 0.125.1, there is a remote code execution vulnerability in dependabot-common and...

GHSA-VV6C-69R6-CHG9 Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly

Impact When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind and connect operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply: They use Landlock rulesets that are supposed to restrict...

Fedora 39 : firmitas (2024-139cdfb1fc)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-139cdfb1fc advisory. Cryptography v42 is the new thing. Please follow the steps provided here https://github.com/fedora-infra/firmitas/blob/main/README.md for testing. References...