GitHub issues final report on supply-chain source code intrusions

Early in April 2022, news broke that various users of Microsoft’s GitHub platform had suffered unauthorized access to their private source code.

GitHib has now updated its incident report to say that it is “in the process of sending the final expected notifications to customers who had either the Heroku or Travis-CI OAuth app integrations authorized in their GitHub accounts.”


The good news is that GitHub itself was not breached, so this is not cause for general concern for every GitHub user.

The bad news is that indirect intrusions of this sort are hard to predict.

GitHub, if you’ve never used it, is a cloud-based source code control system, best known for hosting the public repositories of many open source software projects.

Source code control systems don’t just ensure that the latest version of your software is available for download, but also maintain a continuous history of all recent changes and why they were made (and, if neccessary, why they were later rejected).

Source control systems typically also provide historical lists of official releases, tools for supporting and maintaining different release versions alongside each other, and online forums for reporting bugs and suggesting changes.

You’ve probably heard the jargon term pull request, which refers to a proposed change for which a contributor supplies a potential code update, along with a justification for it. To the suggester, of course, it’s essentially a push request, aiming to inject new code into the system; if approved by the project team, the code gets pulledor merged, into the codebase and becomes an official part of the project.

Source code control gives software projects a formal record of changes, which makes hunting down new bugs much easier because each change can be reviwed and re-tested individually.

It also makes it easier for developers scattered around the world to co-operate efficiently without inadvertently trampling on each others’ suggested updates.

Examples of popular open source projects hosted on GitHub include the cryptographic library OpenSSL, Microsoft’s own scripting language PowerShell, and the privacy-centric alternative browser Brave.

But not all GitHub projects are public, open-source repositories of code.

Many organizations use cloud-based tools like GitHub to host proprietary, closed-sourced projects that they don’t want to become public knowledge.

Startups, for instance, many do not want potential competitors to know that they’re working on project X, or even that they’re experimenting in field Y at all.

Established software companies may have existing products that include algorithms and other intellectual property that they don’t want competitors to be able to clone easily.