惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Vercel News
Vercel News
The GitHub Blog
The GitHub Blog
博客园 - 【当耐特】
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recent Announcements
Recent Announcements
D
Docker
GbyAI
GbyAI
酷 壳 – CoolShell
酷 壳 – CoolShell
WordPress大学
WordPress大学
The Cloudflare Blog
雷峰网
雷峰网
A
About on SuperTechFans
小众软件
小众软件
博客园 - Franky
博客园 - 聂微东
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
C
Check Point Blog
MongoDB | Blog
MongoDB | Blog
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
U
Unit 42
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
V2EX
Engineering at Meta
Engineering at Meta
宝玉的分享
宝玉的分享
aimingoo的专栏
aimingoo的专栏
量子位
P
Proofpoint News Feed
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
罗磊的独立博客
Martin Fowler
Martin Fowler
D
DataBreaches.Net
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Secure Thoughts
Project Zero
Project Zero
L
LangChain Blog
阮一峰的网络日志
阮一峰的网络日志
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tailwind CSS Blog
S
Schneier on Security
Blog — PlanetScale
Blog — PlanetScale
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
Security Latest
Security Latest
NISL@THU
NISL@THU
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
CXSECURITY Database RSS Feed - CXSecurity.com
J
Java Code Geeks

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security
Charlie Eriksen · 2025-12-17 · via Aikido Security's Blog

Dear GitHub,

So, here's the thing; there's a security problem that's been an open secret for a while now. People talk about it in issue trackers. It comes up in security disclosures. It gets discussed in Slack threads that inevitably end with "...but we'd need GitHub to actually expose that data.

I'm bringing this to your attention because I'm tired of watching that conversation end the same way. The security community is only asking for visibility into data you already have. Without it, we're stuck. Package registries can't warn users. Security tools can't flag suspicious references. Attackers, meanwhile, understand this blind spot perfectly well. They're already exploiting it, just like Shai Hulud did.

We’re coming up to the holiday period. And I like to think I’ve been pretty good this year. My only wish is that you give us the tools to protect the ecosystem better. I hope that’s not too much to ask!

What’s the issue?

Package managers like your very own npm, along with third parties like Bun and PyPI, allow developers to install a GitHub repository directly as a dependency. Your own GitHub Actions relies on this same primitive.

npm install github:trusted-org/trusted-package#commit-sha

bun install github:trusted-org/trusted-package#commit-sha‍

pip install git+https://github.com/trusted-org/trusted-package#commit
- uses: trusted-org/trusted-package@commit-sha

Most people would look at this and think: "Where's the security issue? I'm literally specifying the exact repository."

Yeah. I thought the same thing.

But here's what happens: if that commit SHA exists in a fork of the repository, you'll pull code from the fork. Not the repository in your URL. The fork. What the hell?

Let that sink in for a second. I’ll wait…. The URL says trusted-org/trusted-package. But if an attacker forked that repo, added a malicious commit, and got you to reference that commit's SHA, you just installed their code. Not the code you thought. Not the repo you specified. Theirs.

Why does this happen?

This happens because of GitHub's "Fork Network."

Odds are you've never heard of it. Here's the deal: when you fork a repository, you don't get a fully independent copy. Your fork joins a network, sharing the underlying git object store with the original and every other fork. That's how GitHub handles scale. They're not storing a million copies of the same commits. Makes sense.

It's also why this attack works.

The commands above ultimately hit GitHub's "Download a repository archive (tar)" endpoint. The docs say this about the owner parameter:

The owner parameter is just the repository owner, doesn't guarantee it is code from that repository itself

There are no guarantees the code belongs to the repository directly, or warnings about it potentially pulling from a fork. Honestly? Given the architecture, this behavior makes sense. The commit exists in the shared graph. GitHub serves it. That's not wrong.

What is a problem is that this creates ambiguity that nobody else can see through. You ask for trusted-org. You get code from attacker. GitHub fulfilled your request. You just didn't get what you thought you were asking for. And no tool outside of GitHub can tell the difference.

The asymmetry 

Look, we genuinely appreciated it when you added that warning banner on GitHub.com. Seeing a warning for commits like these? That's useful. It shows you know this is a problem worth surfacing.

But here's the thing: package managers don't look at your website. They call your API. And the API gives them zero indication that anything unusual is going on. No flag, no metadata, nothing documented. So npm can't warn users. PyPI can't warn users. Bun can't warn users. The information exists. You're already surfacing it on the frontend. But the ecosystem can't access it.

Why not?

Time to get strict

Remember that "Download a repository archive (tar)" endpoint we talked about? Right now, it's the weakest link. But it's also the obvious place to fix this.

Here's one idea: add a strict parameter. When it's set, the request fails if the commit only exists in a fork, not in the actual repository specified. Package managers opt in, everyone else keeps the current behavior, nothing breaks.

You're already doing this check on the frontend for that warning banner. Just give the API the same capability. Of course, it’d be ideal if you could expose more fork network information in your API in general, but this at least solves the most blatant problem.

Happy holidays!

I’m not writing this as a complaint. I’m writing because we’re all aligned on wanting a secure and dependable ecosystem. You’ve already acknowledged the issue by surfacing the warning on GitHub.com. Now it would make a world of difference to expose that same signal through the API so the ecosystem can act on it.

A small improvement on your end would enable a significant improvement across the ecosystem at large. Isn’t that the best type of improvement? 

And since it is the holiday season, I want to share something I’ve been hearing behind the scenes. In the past few weeks, I’ve spoken with some of the bigger actors in the ecosystem, and there’s a quiet, shared worry that something might go wrong while everyone’s trying to take time off to spend time with their loved ones. Fixing this one issue won’t eliminate that risk, of course, but the concern is real and widely felt.

Happy holidays, GitHub. Here’s to a calm end of the year.