GitHub announced on Thursday that it will enable secret scan push protection by default for all pushes to public repositories.
“This means that when a supported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you believe the secret is safe, bypass the lock,” said Eric Tooley and Courtney Claessens .
Push Protection was first tested as an opt-in feature in August 2023, although it has been in testing since April 2022. It became generally available in May 2023.
The secret scan feature is designed to identify over 200 token types and models from over 180 service providers to prevent fraudulent use by bad actors.
The development comes nearly five months after the Microsoft subsidiary expanded covert scanning to include validity checks for popular services such as Amazon Web Services (AWS), Microsoft, Google and Slack.
It also follows the discovery of an ongoing “repo confusion” attack against GitHub that is flooding the source code hosting platform with thousands of repositories containing obfuscated malware capable of stealing passwords and cryptocurrency from developers’ devices.
The attacks represent another wave of the same malware distribution campaign revealed by Phylum and Trend Micro last year, leveraging fake Python packages hosted on cloned and Trojanized repositories to deliver a rogue malware called BlackCap Grabber.
“Repo confusion attacks simply rely on humans mistakenly choosing the malicious version over the real one, sometimes even employing social engineering techniques,” Apiiro said in a report this week.