Hello and welcome to the Thursday, May 21st, 2006 edition of the Sands Internet Storms Centers Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu credit certificate program in cyber defense

operations.

Well, today can't help it, but to continue to talk about supply chain issues.

And first one here is a breach of GitHub.

I usually don't talk about breaches, as I mentioned before, but this has sort of an important impact to, of course, everybody using GitHub.

And, well, that's pretty much everybody probably listening to this podcast.

Even if you're not personally a user of GitHub, pretty much large percentage.

I have no idea what percentage, but it's very large of open source software

is maintained via GitHub. Now, while these, of course, are often public GitHub repositories,

any modifications, of course, these repositories would be devastating. At this point,

there is no indication that anything other than GitHub's own internal repositories leaked,

they're talking about something like 3,800 different repositories, which sounds about right for a company the size of GitHub.

Of course, the second question is, what leaked with all of those repositories?

What kind of secrets?

What kind of source code?

What kind of, you know, maybe issues talking about bugs and security vulnerabilities have leaked here?

GitHub promised more details as the investigation evolves.

But at this point, it appears that the root cause was, well,

an individual developer using a malicious Visual Studio Code extension.

And Nostig, a company that focuses on securing Agendic AI, has open-sourced their own database

...