GITHUB REJECTED REPORTS ON DESIGN ISSUES NOW ALLEGEDLY BEING USED BY SHAI-HULUD SUPPLY-CHAIN CAMPAIGNS, RESEARCHERS SAY

According to a new report from Deep Specter Research, investigators identified 516 malicious packages remaining active across software ecosystems like npm, PyPI, and RubyGems. The report links the activity to the “Shai-Hulud” worm, a self-replicating malware campaign targeting software developers, and states that more than 3,000 GitHub repositories and over 200 developer accounts were compromised.

A central dispute in the report involves how attackers manipulate Git’s native trust models. Because Git allows clients to supply their own commit timestamps and author information, Deep Specter argues that Shai-Hulud operators backdate malicious code and impersonate trusted developers, reducing scrutiny during code reviews.

GitHub, however, did not classify these reports as security vulnerabilities. Because commit attribution originates from the Git version control system itself, GitHub treats these issues as intended design behavior. The platform relies on developers enabling GPG or SSH commit signing to validate authenticity—protections that Deep Specter notes many of the impersonated developers had not enabled.

The disagreement highlights a recurring challenge in software security: the gap between technical vulnerabilities and the exploitation of platform trust mechanisms. As of June 16, researchers reported that approximately 1,729 repositories allegedly used to store stolen credentials and 151 repositories serving active malicious payloads remained publicly accessible.

According to researchers, neither issue allows an attacker to directly compromise GitHub infrastructure. Instead, the concerns involve how developers review code and determine whether changes appear legitimate.

Deep Specter has argued that these characteristics become security-relevant when combined with compromised accounts, malware distribution campaigns, and supply-chain attacks.

GitHub reportedly pointed researchers toward existing protections including GPG signing, SSH signing, and Vigilant Mode, all of which provide mechanisms for validating commit authenticity. Researchers noted that several developers whose identities were allegedly impersonated during Shai-Hulud-related activity had not enabled those protections.

Researchers also highlighted GitHub’s Events API, which records the account responsible for pushing a commit.

According to Deep Specter, that information is difficult for reviewers to access directly from standard commit pages and eventually expires from public visibility. Researchers suggested increasing visibility of that information could improve investigators’ ability to identify suspicious activity.

GitHub reportedly classified the suggestion as a feature request rather than a security issue.

The dispute arrives amid continued concern over software supply-chain attacks targeting open-source ecosystems.

According to Deep Specter, approximately 1,729 repositories allegedly used to store stolen credentials remained publicly accessible as of June 16. Researchers also reported identifying 151 repositories that were still serving active malicious payloads at the time of their analysis.

Security researchers continue to urge organizations to enforce multifactor authentication, enable commit signing, review package dependencies carefully, monitor CI/CD environments, and rotate credentials if compromise is suspected.

According to the researchers, neither GitHub nor Microsoft responded to requests for comment regarding the findings.

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE