Close Menu
  • Home
  • Cybercrime and Ransomware
  • Emerging Tech
  • Threat Intelligence
  • Expert Insights
  • Careers and Learning
  • Compliance

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

What's Hot

Unveiling Mycelium: The First-Ever AI-Powered Know Botnet

July 8, 2026

Hackers Exploit Roundcube Flaws to Steal Credentials and Deploy VShell

July 8, 2026

Urgent: ColdFusion Path Traversal Exploited in Attacks

July 8, 2026
Facebook X (Twitter) Instagram
The CISO Brief
  • Home
  • Cybercrime and Ransomware
  • Emerging Tech
  • Threat Intelligence
  • Expert Insights
  • Careers and Learning
  • Compliance
Home » GitHub commit signatures bypassed via hash rewriting techniques
Most Read

GitHub commit signatures bypassed via hash rewriting techniques

Staff WriterBy Staff WriterJuly 8, 2026No Comments2 Mins Read0 Views
Facebook Twitter Pinterest LinkedIn Tumblr Email
Share
Facebook Twitter LinkedIn Pinterest WhatsApp Email

Fast Facts

  1. Attackers can create multiple valid, signed commits with different hashes, allowing them to bypass blocklists and provenance checks that rely solely on commit hashes.
  2. GitHub’s acceptance of signature malleability enables malicious commits to appear "Verified" despite altered signatures, undermining trust in commit authenticity.
  3. Existing systems that only verify commit hashes are vulnerable; they can be exploited by re-encoding signatures without invalidating the commit content, posing risks to software integrity and security.

Threat Overview, Attack Techniques, and Targets

Recent research reveals that committed signatures on GitHub can be manipulated. Attackers can create a new commit with the same files, author, and date, but a different hash that still appears verified. This is possible because the commit’s signature can be altered without changing the actual content. The main technique involves signature malleability, where signature bytes are rewritten, and the commit’s hash remains valid under verification. The routes include altering ECDSA, RSA, and S/MIME signatures. For example, flipping the s value in ECDSA or adding ignored fields in RSA. Additionally, rewriting length fields in S/MIME signatures can produce valid but different signatures. Targets are repositories with signed commits marked as verified by GitHub. The flaw affects systems that rely solely on commit hashes for verification and provenance tracking.

Impact, Security Implications, and Remediation Guidance

This vulnerability allows attackers to replace verified commits with malicious but valid copies, which can bypass blocklists, provenance logs, and other security checks based on commit hashes. There is no evidence that this affects the cryptographic strength of SHA-1 or SHA-256 itself. Instead, it exploits the way signatures are verified without normalization. The primary implication is that “Verified” labels on GitHub does not guarantee the integrity of the commit’s signature or its unique identity.

As a result, trust in verified commits can be undermined. To mitigate risks, developers should pin exact commit hashes instead of using tags. The fix must come from the forge side by canonicalizing signatures before trusting them. Users should verify signatures before trusting them, especially in critical workflows. For systems that depend heavily on commit hashes for provenance, additional safeguards are recommended. Since no official vendor advisories exist yet, it is advised to consult security experts or the software provider for specific remediation steps.

Stay Ahead with the Latest Tech Trends

Stay informed on the revolutionary breakthroughs in Quantum Computing research.

Stay inspired by the vast knowledge available on Wikipedia.

ThreatIntel-V1

CISO Insights cyber attack cyber risk Cybersecurity MX1 risk management Threat Management vulnerability management
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleChalubo or Not? My Threat Feed Had the Last Word
Next Article Urgent: ColdFusion Path Traversal Exploited in Attacks
Avatar photo
Staff Writer
  • Website

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Unveiling Mycelium: The First-Ever AI-Powered Know Botnet

July 8, 2026

Hackers Exploit Roundcube Flaws to Steal Credentials and Deploy VShell

July 8, 2026

Urgent: ColdFusion Path Traversal Exploited in Attacks

July 8, 2026

Comments are closed.

Latest Posts

Unveiling Mycelium: The First-Ever AI-Powered Know Botnet

July 8, 2026

Hackers Exploit Roundcube Flaws to Steal Credentials and Deploy VShell

July 8, 2026

Urgent: ColdFusion Path Traversal Exploited in Attacks

July 8, 2026

Chalubo or Not? My Threat Feed Had the Last Word

July 8, 2026
Don't Miss

Unveiling Mycelium: The First-Ever AI-Powered Know Botnet

By Staff WriterJuly 8, 2026

Essential Insights The Mycelium framework is a unique botnet marketed as an AI-as-a-Service platform, turning…

Hackers Exploit Roundcube Flaws to Steal Credentials and Deploy VShell

July 8, 2026

Urgent: ColdFusion Path Traversal Exploited in Attacks

July 8, 2026

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

Recent Posts

  • Unveiling Mycelium: The First-Ever AI-Powered Know Botnet
  • Hackers Exploit Roundcube Flaws to Steal Credentials and Deploy VShell
  • Urgent: ColdFusion Path Traversal Exploited in Attacks
  • GitHub commit signatures bypassed via hash rewriting techniques
  • Chalubo or Not? My Threat Feed Had the Last Word
About Us
About Us

Welcome to The CISO Brief, your trusted source for the latest news, expert insights, and developments in the cybersecurity world.

In today’s rapidly evolving digital landscape, staying informed about cyber threats, innovations, and industry trends is critical for professionals and organizations alike. At The CISO Brief, we are committed to providing timely, accurate, and insightful content that helps security leaders navigate the complexities of cybersecurity.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Unveiling Mycelium: The First-Ever AI-Powered Know Botnet

July 8, 2026

Hackers Exploit Roundcube Flaws to Steal Credentials and Deploy VShell

July 8, 2026

Urgent: ColdFusion Path Traversal Exploited in Attacks

July 8, 2026
Most Popular

Protecting MCP Security: Defeating Prompt Injection & Tool Poisoning

January 30, 202634 Views

Unlock the Power of Free WormGPT: Harnessing DeepSeek, Gemini, and Kimi-K2 AI Models

November 27, 202530 Views

The New Face of DDoS is Impacted by AI

August 4, 202528 Views

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025

Categories

  • Compliance
  • Cyber Updates
  • Cybercrime and Ransomware
  • Editor's pick
  • Emerging Tech
  • Events
  • Featured
  • Insights
  • Most Read
  • Threat Intelligence
  • Uncategorized
© 2026 thecisobrief. Designed by thecisobrief.
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions

Type above and press Enter to search. Press Esc to cancel.