GitHub ‘Verified’ Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
From the article
New research shows that a signed Git commit’s hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps “Verified.” Everything a …
Continue reading on thecybersecurity.newsYou might also wanna read
AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers
thecybersecurity.news·9h ago
New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware
thecybersecurity.news·11h ago
Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS
thecybersecurity.news·11h ago
New Ghost Phishing Wave Is Breaking Traditional Email Security
thecybersecurity.news·13h ago
SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
thecybersecurity.news·13h ago
The Verification Step Is the New ATO Battleground in 2026
thecybersecurity.news·14h ago
Comments
Sign in to join the conversation.
No comments yet. Be the first.