Surprise: When Dependabot Contributes Malicious Code

What Happened? 

• In July 2023, our scanners detected nontypical commits to hundreds of GitHub repositories appear to be contributed by Dependabot and carrying malicious code. 


• Those commit messages were fabricated by threat actors to appear as a Dependabot automated contribution in the commit history, an attempt to disguise the malicious activity  


• After reaching out and talking to some of the victims who got compromised, we can confirm that the victims’ GitHub personal access token was stolen and used by the …

automated code commit messages contributed dependabot github github repositories history july july 2023 malicious messages repositories scanners surprise threat threat actors